Step 1: create a form

Step 1: create a form

You can create form templates using Splunk's simplified XML. For example, you can clone an existing form template and modify it according to your needs. However, if your form requires advanced XML you currently cannot convert the simplified XML to advanced XML. Instead, implement the form entirely in advanced XML. If you convert a form implemented in simplified XML using the showsource URI, the form fails when performing a search.

Use Splunk's XML syntax

Create your form search's XML file either through Splunk Manager or through the underlying file system.

In Splunk Manager

1. From Splunk Web, navigate to Manager.

2. Click User Interface.

3. Click Add new next to views to create a new view.

4. Follow the instructions on the new view page and enter XML in the format described below.

For example, if you want to add a new view to the Search app, navigate to the Search app in Splunk Web and then click the Manager link in the upper right-hand corner, then click Views. You'll see a list of existing views, which you can clone if you want to copy and make changes to an existing view. To create an entirely new view, click New.

In Splunk's file system

1. Create your view XML file directly in your app via the file system.

2. Make sure your form search's XML file goes in $SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/views/.

XML configuration

Once you've created a file for your form search, add XML to structure the form search. Start by creating a form element and setting a label attribute. The label shows up in the drop-down menu in Splunk Web. Form search names can contain spaces, alphanumeric characters, underscores or dashes.

This example creates an empty form search page, which has the standard Splunk header, navigation and a label of "My form search":

<form>
  <label>My form search</label>
</form>

Now you're ready to add content to your form search by adding a search template.

Build a simple form search

This is the simplest possible way to build your form search. There are more options presented in the following topics, so read through this section to get more details on building more complex form searches.

First, use the searchTemplate attribute to create the search that runs behind the form. Then put dollar signs around the term (or terms) that will get user input:

<form>
  <label>My form search</label>
  <searchTemplate>put your search here $term$</searchTemplate>
...
</form>

You can put any kind of search here, as long as you surround the term that you want to replace via the form with $.

Then, to add a form to your page, wrap an input type attribute with a fieldset element:

<form>
  <label>My form search</label>
  <searchTemplate>put your search here $term$</searchTemplate>

  <fieldset>
    <input type="text" token="username" />
  </fieldset>
...
</form>

This will create a form in your page to take user input.

For example, this snippet creates a form that takes in a value of username:

<form>
    <label>My form search</label>
    <searchTemplate>$username$</searchTemplate>

    <fieldset>
        <input type="text" token="username" />
    </fieldset>
    
...

</form>

Important notes about XML

There are a few things you should note about XML, especially if you've never worked with it before. Please read through this section -- it will make your whole view building experience more pleasant.

XML escaped characters

There are five characters that are not supported in XML. These are ", ', <, > and &. You must escape them much like URL encoding:

"

'

<

>

&

Schemas and editors

Many XML editors will let you load a schema -- DTD, XSD, Relax, RelaxNG are just a few different types of schemas. Schemas are useful for validating your XML and also for providing you with guidelines while building an XML file. Splunk contains RelaxNG formatted schemas for views, from dashboards to form searches to advanced XML views. Read more about how to use Splunk's schemas in the Use schemas topic in this manual.

• Was this topic useful?
• Post a comment