Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Build and edit forms with simple XML

A form is a Splunk view similar to a dashboard, but provides an interface for users to supply values to one or more search terms, typically using text boxes, dropdown menus, or radio buttons. A form shields users from the details of the underlying search – it allows users to focus only on the terms for which they are searching and the results. The results can be displayed in tables, event listings, or any of the visualizations available to dashboards.

About form searches

Form searches are built on fields or other identifiable parts of your data. Typically, you first build a search that fits your data and use case. Then, identify the parts of this search that can be specified by the user. Finally, build a form search view (or embed your form search in a dashboard).

Form searches use tokens for search fields that accept user data. When a user types in a search term of a form, the token is replaced with the user input. For example, the following form search provides a textbox to specify the value for series in a search. Here is the underlying search for this form:

index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ | fields eps, kb, kbps


Sampleformsearch1.png


Here is the simple XML implementing the form search. The token $series$ represents the text entered by the user in the text box. The form also includes the default Splunk TimePicker to allow the user to select a time range for the search.

<form>
  <label>Sample form</label>
  
  <!-- define master search template                              -->
  <!-- leave time unbounded so that the time input can be used    -->
  <!-- $series$ is the token replaced by the input in the textbox -->
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ 
    | fields eps, kb, kbps
  </searchTemplate>

  <fieldset>
      
      <!-- Create a text box; token is "series"                         -->
      <!-- label: Label for the text box                                -->
      <!-- default: A default value is not specified                    -->
      <!-- seed: Upon first load, the text box specifies 'splunkd'      -->
      <!-- suffix: All tokens are followed by a *                       -->
      <!--         If user does not specify text, then search uses '*'  -->
      <input type="text" token="series">
        <label>sourcetype</label>
        <default></default>
        <seed>splunkd</seed>
        <suffix>*</suffix>
      </input>
      
      <!-- Add default TimePicker -->
      <input type="time" />
      
  </fieldset>
  
  <row>
    
      <!-- Show results as a table -->
      <table>
        <option name="showPager">true</option>
        <option name="count">20</option>
      </table>
      
  </row>
  
</form>


The Splunk sample app contains several example form searches. An example similar to this example, plus two others that contain dynamically populated radio buttons and drop downs. The dynamic form search views present different options in the radio buttons and drop downs depending on your data. Adapt these examples to fit your use case.

Types of form search views

There are three different types of form views:

  • Simple form search The most basic form, a simple form search contains one or more text input boxes. Simple form searches use Splunk's simple XML, which is also used to create Build and edit dashboards with simpleXML described in the previous section.
  • Dynamic form search Form searches contain drop-down lists or radio buttons that display choices created by different searches. The available choices are dynamically populated from these searches. Use simple XML to create dynamic form searches.
  • Advanced form search Use Splunk's Advanced XML to build complex form searches. The ExtendedFieldSearch module documentation describes features available in advanced form searches. Splunk recommends that you start with the simple XML and move on to the advanced only if there are options you cannot enable. To learn more about building an advanced form search, see the topic How to build an advanced form search.

Dynamic Drilldown

New with Splunk 5.0, you can specify custom drilldown actions in simple XML using the <drilldown> tag. Within the <drilldown> tag you specify links to another dashboard, form, or to any external website. The value upon which the user clicks is passed to a linked form or external website.

Refer to Dynamic drilldown in dashboards and forms for details.

Simple XML and advanced XML

Most of the documentation in this section describes creating and editing forms using simple XML. Refer to Overview of simple XML for an introduction to simple XML syntax for creating dashboards and forms. See the Splunk Panel Reference for details on specifying visualizations for panels.

Simple XML sits on top of Splunk's Advanced XML implementation. Complex forms might need to leverage functionality only available from advanced XML.

You can always convert simple XML to advanced XML. However, you cannot later go back to simple XML. Splunk recommends that you start advanced projects in simple XML, and then convert them later to advanced XML to add the more complex features. About Advanced XML provides details on editing advanced XML.

To convert a dashboard or form from simple XML to advanced XML navigate to the showsource URI for that dashboard or form. For example:

http://localhost:8000/en-US/app/<app_name>/<dashboard_name>?showsource=true
PREVIOUS
Build and edit dashboards with simple XML
  NEXT
Dynamic drilldown in dashboards and forms

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters