Forms: an introduction
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Forms: an introduction
This section of the Developer Manual is all about form searches. If you're interested in building your own form search, read through the topics in this section sequentially. Each topic in this section explains how to build a form search step-by-step. The final topic has several form search examples. You can find more examples in the Sample app, or the UI Examples app on Splunkbase.
What is a form search?
A form search is a view -- a page in Splunk Web customized by you. Form searches let you present a simplified search interface. Instead of requiring your users to type in a full search string every time they want to search, form searches alias out parts of your search. For example, a tier 1 help desk support team may always search on serial number and user name. You can create a form search that only shows an input for a serial number and a user name so that whenever a tier 1 representative gets a call, he or she can input just the relevant search terms.
Once you build and name your form search, you can navigate to its URI:
http://localhost:8000/en-US/app/<app_name>/<form_search_name>
(Replace with your Splunk host and port.)
Form searches are objects that live within apps. This means you can set permissions on your form search the same way you can with a saved search, event type or other object.
How to build form searches
Form searches let you alias out pieces of your search as tokens, so users only need to type in a search term for each token. For example, here's a form search from the Sample app. This example searches for a from email address in sendmail data:
Form searches are built on fields or other identifiable parts of your data. First, build a search that fits your data and use case. Then, identify which parts of this search can be aliased out and hidden from your user. Finally, build a form search view or embed your form search in a dashboard.
The sample app in App builder contains three example form searches. One of these is the example above -- a basic search built on the "from" field in sendmail events. The other two examples contain dynamically populated radio buttons and drop downs. These two form search views present different options in the radio buttons and drop downs depending on your data. Adapt these examples to fit your use case.
Types of form search views
There are three different types of form search views, all building on the same basic concept described above.
Simple form search
The most basic form search is one or more text input boxes as described above. These simple form searches are built on the same simple XML syntax as the dashboards described in the previous section.
Dynamic form search
Form searches can contain more than search boxes for text input. Build form searches with drop-downs or radio buttons that display choices created by a different search. These form searches are called dynamic form searches because the choices are dynamically populated from a search.
Advanced form search
Not all the options for configuring a form search are exposed in the simplified XML syntax discussed in this section. If you're comfortable with Splunk's XML syntax, you can build a more sophisticated form search with the ExtendedFieldSearch module. We recommend that you start with the simplified XML and move on to the advanced only if there are options you cannot enable with the simple syntax. To learn more about building an advanced form search, see the topic How to build an advanced form search.
You can always translate your simplified XML into advanced XML by navigating to your view's source page:
http://localhost:8000/<app_name>/<view_name>?showsource=true
(Replace with your Splunk installation host and port.)
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.