Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create a simple form search

You create a simple form search much the same way you create a dashboard, as described in "Create a dashboard" earlier in this manual. You can do any of the following:

  • Create a dashboard using the Splunk Dashboard Editor, then modify the XML to create a form search.
  • Use the Splunk Manager to create a form search from a new view.
  • Clone an existing form search and modify it.
  • Create a form search from an XML file.

Refer to "Create a dashboard from an XML file" for information on how to create a form search directly from an XML file. The process is the same.

This topic first shows how to create and modify a dashboard to create a form search. It then shows how to create a form search using Splunk Manager. Subsequent topics show various steps for creating a form search using Simplified XML.

Modify a dashboard to create a form search

"Create and edit simple dashboards" in the Splunk User Manual details how to create dashboards using the Splunk Dashboard Editor. This topic walks you through creating a basic dashboard that you later convert to a form search.

1. In Splunk Web Search app, go to Dashboards & Views > Create dashboard.

Provide an ID and Name for the dashboard.

2. Enable editing and click New panel. Specify the following:

  • Title: My Form Search
  • Search command: Inline search string
  • Earliest time: -7d
  • Latest time: now
  • Search:

index=_internal source=*metrics.log group="per_sourcetype_thruput" | fields eps, kb, kbps

3. Click Save to view the new dashboard. The dashboard lists the results of the search.

Use this search as the base result of a form search. This dashboard has a hardcoded search and a hardcoded time range for results.

In the following steps, you convert the dashboard to a form search that uses the specified search as the base of a form search, with the user adding an additional search term to the search query. The user can also modify the time range by adding a TimePicker to the search.

4. Enable editing for dashboard and click Edit XML. This is the generated Simplified XML for the dashboard:

<dashboard>
  <label>Dashboard to convert to Form Search</label>
  <row>
    <table>
      <searchString>
        index=_internal source=*metrics.log group="per_sourcetype_thruput"  
       | fields eps, kb, kbps
      </searchString>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</dashboard>

5. Change the <dashboard> tags to <form> tags. Move the search from a <searchString> element in the dashboard to a <searchTemplate> element in the form.

<form>
  <label>Dashboard to convert to Form Search</label>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"  
    | fields eps, kb, kbps
  </searchTemplate>

  <row>
    <table>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</form>

6. Modify the search to include a series field token ($series$). Add a text box for the user to specify the series field.

The field set in this example specifies a label for the text box, a seed value for the text box, and a suffix value to append to each user-supplied value.

<form>
  <label>Dashboard to convert to Form Search</label>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"
    series=$series$
    | fields eps, kb, kbps
  </searchTemplate>
  
  <fieldset>
    <input type="text" token="series">
      <label>sourcetype</label>
      <default></default>
      <seed>splunkd</seed>
      <suffix>*</suffix>
    </input>
  </fieldset>

  <row>
    <table>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</form>

7. Remove the hardcoded time fields from the <table> element, and add the default Splunk TimePicker to the field set. Also, add the pager and count options to the table.

<form>
  <label>Dashboard to convert to Form Search</label>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"
    series=$series$
    | fields eps, kb, kbps
  </searchTemplate>
  
  <fieldset>
    <input type="text" token="series">
      <label>sourcetype</label>
      <default></default>
      <seed>splunkd</seed>
      <suffix>*</suffix>
    </input>
    
    <input type="time" />
  </fieldset>

  <row>
    <table>
      <option name="showPager">true</option>
      <option name="count">20</option>
    </table>
  </row>
</form>

Use Splunk Manager to create a form

This topic shows how to create a form search directly from a new view created in Splunk Manager. Subsequent topics illustrate the various steps in creating the form search.

1. Go to Manager > User interface > Views.

2. Click New and specify the following:

  • Destination app Select an app from the dropdown list of all available apps in your Splunk instance.
  • View name Specify a name for the dashboard. The name you specify becomes a node in the path to the dashboard. Only alphanumeric characters and '-' and '_' can be used.
  • View XML Specify the Simplified XML to create your dashboard. The following is the minimal XML to create a form search. It specifies a sample search command with a token, uses a text field to specify values for the token, and displays the results in a table:
<form>
  <label>Sample form search</label>
  <searchTemplate>index=sample from="$from$"</searchTemplate>
  <fieldset>
      <input type="text" token="from" />
  </fieldset>
  <row>
      <event>
            <title>Results</title>
            <option name="count">50</option>
      </event>
  </row>
</form>
  • Click Save.

3. (Optional) Modify permissions.

By default, the form you create from Splunk Manager is private. In the Views page of Splunk manager, click Permissions for your form to specify an app (or all apps) for the dashboard and to set permissions for users of the dashboard.

Form tags

Here is a description of the tags in the previous example that defines a form search.

Tag Description
<form> Required to define a form
<label> Optional, to display a title for the form.
<fieldset> Required, defines the user input (<input. . .>) for the form. The example above specifes a text box.
<row><panelType> Required

Rows contain the panels in the form. You can have up to three panels in a row.

Panels provide visualizations for the results from a search. The example above specifies an event listing. You can specify any of the panel visualizations, as described in "Adding panels to a dashboard".

PREVIOUS
Forms: An introduction
  NEXT
Define inputs to a form

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters