Developing Dashboards, Views, and Apps for Splunk Web

 


Form search examples

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Form search examples

These three examples show how to build different types of form searches using Simplified XML. There are additonal examples in the UI examples app, available from Splunkbase.

Simple table

This example shows how to create a simple form that searches for one field, sourcetype. Results from the search are displayed as a table with 50 rows maximum.


Form1.png


1. Create the form, give it a label, and specify the searchTemplate -- the search that is the basis for the form:

<form>
  <label>Simple table</label>
  <searchTemplate>
    index=_internal source=*metrics.log group=per_sourcetype_thruput 
    series="$sourcetype$" | head 1000
  </searchTemplate>
  <earliestTime>-30d</earliestTime>
  <latestTime>-0d</latestTime>
...


2. (Optional) Add an HTML panlel to display useful information &endash; instructions on how to create a search:

  . . .
  <html>
    Enter a <code>sourcetype</code> in the field below. 

    This view returns the most recent 1000 events from the metrics log 
    referring to that <code>sourcetype</code>.
  </html>
  . . .


3. Set up an input. This example creates an input box that replaces the $sourcetype$ token in the searchTemplate above.

  . . .
  <fieldset>
      <input token="sourcetype" />
  </fieldset>
  . . .


4. Display the results in a table.

  . . .
  <row>
      <table>
        <title>Matching events</title>
        <option name="count">50</option>
      </table>
  </row>
</form>


Multiple inputs

This example shows how to take multiple inputs to build a form search. It also shows how to add a time range picker, which allows users to pick a time range for their search.

Form2.png


1. Set up a searchTemplate that creates two tokens:

$series$
$otherFilter$

The search does not include time specifications – users can select from the time range picker:

<form>
  <label>Multiple inputs</label>
  <searchTemplate>
    index=_internal source=*metrics.log 
    group="per_sourcetype_thruput" series=$series$ $otherFilter$ 
    | fields eps, kb, kbps
  </searchTemplate>


2. Create a text box; upon first load, the box populates with 'splunkd'. If the user leaves the box empty, then the search uses '*'. This example always prefixes the token 'otherFilter' with 'eps>' – if no value is entered, 'eps>-1' is inserted. Specify the timerange picker.

  <fieldset>
      <input type="text" token="series">
        <label>sourcetype</label>
        <default></default>
        <seed>splunkd</seed>
        <suffix>*</suffix>
      </input>
      <input type="text" token="otherFilter">
        <label>events per second greater than:</label>
        <prefix>eps></prefix>
        <default>-1</default>
        <seed>0</seed>
      </input>
      <input type="time" />
  </fieldset>


3. Display the results in a table showing 20 rows per page. A pager allows users to navigate through the results.

  <row>
      <table>
        <option name="showPager">true</option>
        <option name="count">20</option>
      </table>
  </row>
</form>

Inverted flow

This form search is built backwards -- the input comes first and then feeds two separate charts and one table. The charts and table are built from a separate search, each with a searchTemplate that uses the 'sourcetypeToken' text box input.

This example is useful for rendering pages that collate disparate searches that share a common search keyword/token.

Form3.png


1. Define a common form search input that all panels use:

<form>
  <label>inverted flow, panel-defined search</label>
  <fieldset>      
      <input type="text" token="sourcetypeToken">
          <label>sourcetype</label>
          <default>*</default>
          <seed>splunkd</seed>
      </input>

      <input type="time" />

  </fieldset>

. . .


2. Create two separate charts, each with a searchTemplate that uses the input from the form search above with the $sourcetypeToken$.

 
  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>
             index=_internal source=*metrics.log Component=metrics 
             group="per_sourcetype_thruput" series="$sourcetypeToken$" 
             | timechart sum(kb)
          </searchTemplate>
          <option name="charting.chart">column</option>
          <option name="charting.primaryAxisTitle.text">Sourcetype</option>
          <option name="charting.secondaryAxisTitle.text">KB Indexed</option>
          <option name="charting.legend.placement">none</option>
      </chart>

      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>
             index=_internal source=*metrics.log Component=metrics 
             group="per_sourcetype_thruput" series="$sourcetypeToken$" 
             | timechart avg(eps)
          </searchTemplate>
          <option name="charting.chart">area</option>
          <option name="chart.stackMode">stacked</option>
          <option name="charting.primaryAxisTitle.text">Sourcetype</option>
          <option name="charting.secondaryAxisTitle.text">Events per second</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>


3. Display further results in a table, also using the searchTemplate that takes input from form search using the $sourcetypeToken$:

  <row>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>
             index=_internal source=*metrics.log Component=metrics 
             group="per_sourcetype_thruput" series="$sourcetypeToken$" 
             | timechart avg(kbps)
           </searchTemplate>
          <option name="count">20</option>
      </table>
  </row>
  
</form>

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!