Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Form examples

This topic walks you through the steps for creating various types of forms.

Create a simple form search

You create a simple form search much the same way you create a dashboard, as described in "Create the dashboard" earlier in this manual. You can do any of the following:

  • Create a dashboard using the Splunk Dashboard Editor, then modify the XML to create a form search.
  • Use the Splunk Manager to create a form search from a new view.
  • Clone an existing form search and modify it.
  • Create a form search from an XML file.

Refer to "Create a dashboard from an XML file" for information on how to create a form search directly from an XML file. The process is the same.

This topic first shows how to create and modify a dashboard to create a form search. It then shows how to create a form search using Splunk Manager. Subsequent topics show various steps for creating a form search using simmple XML.

Modify a dashboard to create a form search

"Create and edit dashboards via the UI" in the Splunk Data Visualizations Manual details how to create dashboards using the Splunk Dashboard Editor. This topic walks you through creating a basic dashboard that you later convert to a form search.

1. In Splunk Web Search app, go to Dashboards & Views > Create dashboard.

Provide an ID and Name for the dashboard.

2. Enable editing and click New panel. Specify the following:

  • Title: My Form Search
  • Search command: Inline search string
  • Earliest time: -7d
  • Latest time: now
  • Search:

index=_internal source=*metrics.log group="per_sourcetype_thruput" | fields eps, kb, kbps

3. Click Save to view the new dashboard. The dashboard lists the results of the search.

Use this search as the base result of a form search. This dashboard has a hardcoded search and a hardcoded time range for results.

In the following steps, you convert the dashboard to a form search that uses the specified search as the base of a form search, with the user adding an additional search term to the search query. The user can also modify the time range by adding a TimePicker to the search.

4. Enable editing for dashboard and click Edit XML. This is the generated simple XML for the dashboard:

<dashboard>
  <label>Dashboard to convert to Form Search</label>
  <row>
    <table>
      <searchString>
        index=_internal source=*metrics.log group="per_sourcetype_thruput"  
       | fields eps, kb, kbps
      </searchString>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</dashboard>

5. Change the <dashboard> tags to <form> tags. Move the search from a <searchString> element in the dashboard to a <searchTemplate> element in the form.

<form>
  <label>Dashboard to convert to Form Search</label>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"  
    | fields eps, kb, kbps
  </searchTemplate>

  <row>
    <table>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</form>

6. Modify the search to include a series field token ($series$). Add a text box for the user to specify the series field.

The field set in this example specifies a label for the text box, a seed value for the text box, and a suffix value to append to each user-supplied value.

<form>
  <label>Dashboard to convert to Form Search</label>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"
    series=$series$
    | fields eps, kb, kbps
  </searchTemplate>
  
  <fieldset>
    <input type="text" token="series">
      <label>sourcetype</label>
      <default></default>
      <seed>splunkd</seed>
      <suffix>*</suffix>
    </input>
  </fieldset>

  <row>
    <table>
      <title></title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
    </table>
  </row>
</form>

7. Remove the hardcoded time fields from the <table> element, and add the default Splunk TimePicker to the field set. Also, add the pager and count options to the table.

<form>
  <label>Dashboard to convert to Form Search</label>
  <searchTemplate>
    index=_internal source=*metrics.log group="per_sourcetype_thruput"
    series=$series$
    | fields eps, kb, kbps
  </searchTemplate>
  
  <fieldset>
    <input type="text" token="series">
      <label>sourcetype</label>
      <default></default>
      <seed>splunkd</seed>
      <suffix>*</suffix>
    </input>
    
    <input type="time" />
  </fieldset>

  <row>
    <table>
      <option name="showPager">true</option>
      <option name="count">20</option>
    </table>
  </row>
</form>

Use Splunk Manager to create a form

This topic shows how to create a form search directly from a new view created in Splunk Manager. Subsequent topics illustrate the various steps in creating the form search.

1. Go to Manager > User interface > Views.

2. Click New and specify the following:

  • Destination app Select an app from the dropdown list of all available apps in your Splunk instance.
  • View name Specify a name for the dashboard. The name you specify becomes a node in the path to the dashboard. Only alphanumeric characters and '-' and '_' can be used.
  • View XML Specify the simple XML to create your dashboard. The following is the minimal XML to create a form search. It specifies a sample search command with a token, uses a text field to specify values for the token, and displays the results in a table:
<form>
  <label>Sample form search</label>
  <searchTemplate>index=sample from="$from$"</searchTemplate>
  <fieldset>
      <input type="text" token="from" />
  </fieldset>
  <row>
      <event>
            <title>Results</title>
            <option name="count">50</option>
      </event>
  </row>
</form>
  • Click Save.

3. (Optional) Modify permissions.

By default, the form you create from Splunk Manager is private. In the Views page of Splunk manager, click Permissions for your form to specify an app (or all apps) for the dashboard and to set permissions for users of the dashboard.

Form tags

Here is a description of the tags in the previous example that defines a form search.

Tag Description
<form> Required to define a form
<label> Optional, to display a title for the form.
<fieldset> Required, defines the user input (<input. . .>) for the form. The example above specifes a text box.
<row>
  <panelType>
Required

Rows contain the panels in the form. You can have up to three panels in a row.

Panels provide visualizations for the results from a search. The example above specifies an event listing. You can specify any of the panel visualizations, as described in "Adding panels to a dashboard".

Define inputs to a form

The <fieldset> tag defines form inputs. This section describes how to modify elements within the <fieldset> tag to customize inputs.

<form>
  <label>Sample form search</label>
  <searchTemplate>index=sample from="$from$"</searchTemplate>

  <!-- Define Inputs here -->
  <fieldset> 
      <input type="text" token="from" />
  </fieldset>

  <row>
      <event>
            <title>Results</title>
            <option name="count">50</option>
      </event>
  </row>
</form>

Specify a TimePicker with a default time range

If you do not specify a time range, the time range defaults to all time. You can add a TimePicker (a time range dropdown) with a default time setting. Set the default time range to any of the strings availalble from the time range dropdown.

This example adds a time picker and sets the default time range to the last 30 days:

. . .
<!-- TimePicker with customized default time range -->
<input type="time">
  <default>Last 30 days</default>
</input>
. . .

Add a label

Use the <label> tag to add a descriptive label to the input. This example adds Enter a user name before a text input:

. . .
<input type="text" token="username">
    <label>Enter a user name</label>
</input>
. . .

Set a default search term

If the user does not fill in the text box when submitting values, the token defaults to an empty string. To set a default value for the token in a search, use the <default> tag.

This example sets Cosmo as the default value for the token specifying a username:

. . .
<input type="text" token="username">
    <default>Cosmo</default>
</input>
. . .

Add a prefix or suffix

A search query often requires additional suffixes or prefixes. Use the <prefix> and <suffix> tags to add additional terms to a search query. The <prefix> and <suffix> tags are only used when a user enters a search in the text box.

Set a prefix on the default value:

. . .
<input type="text" token="username">
    <prefix>username=</prefix>
</input>
. . .

Quote the default value:

. . .
<input type="text" token="username">
    <prefix>username="</prefix>
    <suffix>"</suffix>
</input>
. . .

Populate a form with data

Use the <seed> tag to populate a form with known data.

This example populates a form with the username Jack:

. . .
<input type="text" token="username">
    <seed>Jack</seed>
</input>
. . .

Auto-run a form

You can automatically run a form when the page loads. Use the auto-run feature if you have set defaults from which you want your users to see results before specifying their own search.

Specify the following attributes to the <fieldset> tag.

autoRun="true"
submitButton="false"

Make sure you also include a seed for the search. Setting a default time range is a good idea.

Here's an example that runs the specified search on page load:

. . .
  <fieldset autoRun="true" submitButton="false">
    <input token="sourcetype">
      <seed>access_combined</seed>
    </input>
    <input type="time">
      <default>Last 30 days</default>
    </input>
  </fieldset>
. . .

Display form search results

To display results of a form search, add a row to the form much the same way you add rows to a dashboard. Then select a visualization for the results. You can use some of the same visualizations available for panels in dashboards. This section illustrates using an event listing, a table, and charts.

Display results in an event listing

To display results as a list of events, add a <row> element with an <event> node to your form search. The event listing displays the search results as individual events.

The following example displays the last 100 login events over the past seven days for the username entered in the form:

<form>
    <label>Username</label>
    
    <searchTemplate>sourcetype=logins $username$</searchTemplate>
    <earliestTime>-7d</earliestTime>
    <latestTime>-0d</latestTime>    

    <fieldset>
        <input type="text" token="username" />
    </fieldset>
    
    <row>
        <event>
            <option name="count">100</option>
        </event>
    </row>
</form>

To learn more about event listing, see "Add an event listing" in the Build dashboards section of this manual. Also, refer to the "Event panel" section of the Simple XML Panel Reference.

Display results in a table

To display results in a table, add a <row> element with a <table> node to your form search.

The following example displays results returned by the form search in table. The table contains a pager, specifying 20 rows per page.

<form>
    <label>Username</label>
    
    <searchTemplate>sourcetype=logins $username$ </searchTemplate>
    <earliestTime>-7d</earliestTime>
    <latestTime>-0d</latestTime>
    
    <fieldset>
        <input type="text" token="username" />
    </fieldset>
    
    <row>
      <table>
        <title>User logins</title>
        <option name="showPager">true</option>
        <option name="count">20</option>
      </table>
    </row>
</form>

To learn more about displaying results in a table, see "Add a table" in the Build dashboards section of this manual. Also, refer to the "Table panel" section of the Simple XML Panel Reference.

Display results in a chart

To display results in a chart, add a <row> element with a <chart> node to your form search. Use the chart's <option> tags to specify the type of chart and any chart properties. Chart types include bar, column, area, line, pie, scatter, and bubble. Charts require transforming searches (searches that use reporting commands) whose results involve one or more series. For more information on the chart visualizations available, see "Charts" in this manual.

The following example creates a form search displaying results in a column chart The search has includes reporting commands (timechart count).

<form>
    <label>Username</label>
    
    <searchTemplate>sourcetype=logins $username$ | timechart count</searchTemplate>
    <earliestTime>-7d</earliestTime>
    <latestTime>-0d</latestTime>
    
    <fieldset>
        <input type="text" token="username" />
    </fieldset>
    
    <row>
      <chart>
        <title>User logins, last 7 days</title>
        <option name="charting.chart">column</option>
        <option name="charting.primaryAxisTitle.text">User</option>
        <option name="charting.secondaryAxisTitle.text">Total logins</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </row>
</form>

In this example, Splunk's chart formatting controls specify the axis titles and removes the chart legend (you really don't need a legend when only one series is displayed). The primaryAxisTitle and secondaryAxisTitle elements are similar to the axisTitleX and axisTitleY elements described in the charting controls documentation. For more information see the [Documentation:Splunk:Developer:CustomChartingConfig-Overview|Custom chart configuration reference] chapter in this manual.

To learn more about charts, see "Add a chart" in the Build dashboards section of this manual.

Create a form search with dynamic drilldown

Dynamic drilldown allows you to specify another Splunk view or a web page to link to from a field in the search results. To implement dynamic drilldown, do the following:

  • Add a <drilldown> tag to the visualization listing search results.
  • Within the <drilldown> tag, add one or more <link> tags
  • Within each <link> tag, specify either a Splunk view or web site to link to.
  • Specify the value of the results to use for the drilldown action. For example:
    • Specify a field name that can be used as a sourcetype for a Splunk view.
    • Specify a value that can be passed to a website.

Drilldown example linking to another form

The following example shows a form search implementing dynamic drilldown. When a user clicks on a value in the specified column, the value clicked is passed to another form.

Note: This examples assumes that you have a view, FormSearchDrillDown, available at the specified location.

<form>
  <label>Form Search (Beta)</label>
  
  <!-- define master search template, with replacement token delimited with $ -->
  <searchTemplate>index="_internal" group="per_sourcetype_thruput" series=$sourcetype$ | chart sum(kbps) over series</searchTemplate>

  <fieldset>
     <!-- Use the html tag to specify text to display -->
     <html>
       <p>Enter a sourcetype in the field below. This view returns the most recent 1000 events for that sourcetype.</p>
       <p>In the Matching Events, click in the series column to open the value clicked in a new form</p>
     </html>

     <!-- The default input is a text box, with no seed value -->
     <input token="sourcetype" />
    
     <!-- Include a time picker -->
     <input type="time">
        <default>Last 30 days</default>
      </input>
  </fieldset>
  
  <row>
      <!-- output the results as a 50 row events table -->
      <table>
        <title>Matching events</title>
        <option name="count">5550</option>
        
        <!-- Specify the "series" column for the drilldown action.             -->
        <!-- Pass the value clicked with $row.series$                          -->
        <!-- The FormSearchDrillDown view must exist at the specified location -->
        <drilldown>
          <link field="series">
              /app/ui_examples/FormSearchDrillDown?form.sourcetype=$row.series$
          </link>
        </drilldown>        
      </table>
  </row>
  
</form>

Drilldown example linking to a web site

This is essentially the same example as linking to another Splunk view. However, in this example, when you click on a value it opens in a new site with the values specified as a REST parameter to this site. The $click.value2$ token captures the value clicked by the user.

When the user clicks on a value, Splunk Answers opens with a query using that value. To implement this example, replace the <drilldown> code in the previous example with the following code:

        <!-- $click.value2$ captures the value clicked by the user -->
        <!-- and passes it to the website as REST parameter        -->
        <drilldown>          
          <link>http://splunk-base.splunk.com/integrated_search/?q=$click.value2$</link>
        </drilldown>

Create a dynamic form search with radio buttons

You can create a dynamic form search that is populated using radio buttons. You specify a search to populate radio button choices. A user selects a radio button drive the search results.

Dynamic form search example

1. Use a simple form search to get started.

<form>
 <label>Username</label>
 <searchTemplate>sourcetype=logins $username$</searchTemplate>  
 <fieldset>
  <input type="text" token="username" />
 </fieldset>
    
 <row>
  <event>
    <option name="count">100</option>
   </event>
  </row>
</form>

2. Change the input from a text box to radio buttons. Add a <populatingSearch> to generate the options for the radio buttons

. . .
<input type="radio" token="username">
   <label>Select Name</label>
   <populatingSearch fieldForValue="suser" fieldForLabel="suser">
     <![CDATA[sourcetype=p4change | rex "user=(?<suser>\w+)@"
     | stats count by suser]]>
   </populatingSearch>
</input>
. . .

3. Display the results in a table. The following is the complete dynamic form search.

<form>
 <label>Username</label>
 <searchTemplate>sourcetype=logins $username$</searchTemplate>  

<fieldset>
   <input type="radio" token="username">
      <label>Select Name</label>
      <populatingSearch fieldForValue="suser" fieldForLabel="suser">
        <![CDATA[sourcetype=p4change | rex "user=(?<suser>\w+)@"
        | stats count by suser]]>
      </populatingSearch>
   </input>
</fieldset>

<row>
 <table>
  <title>Users</title>
   <option name="showPager">true</option>
  </table>
</row>
</form>

Radio button configuration options

There are several configuration options available for <input type="radio">.

Tag Description
<label> String.

A label for the radio buttons

<default> The default option to select.

If the default option cannot be found, the first option is selected.

<prefix> Search terms

Prefix the search query with the specified search terms.

<suffix> Search terms

Place the specified search terms after the search query.

<choice value=value> String representing an option for the radio buttons.

Options appear in the order they are defined, and before any options generated by a search specified by <populatingSearch>.

<populatingSearch
  fieldForLabel=label
  fieldForValue=value
  earliest=timeformat
  latest=timeformat>
A search that generates options for the radio buttons.

fieldForLabel: Required. Field extracted from the populating search and placed as the label for the generated radio button.

fieldForValue: Required. Field extracted from the populating search and placed in the value of the generated radio button.

latest
earliest
: Optional. Restrict search results to a specific time window, specifying one or both of these attributes. For example, specify earliest="-7d" latest="-1d". Specify "rt" to enable real-time searches.

<populatingSavedSearch
  fieldForLabel=label
  fieldForValue=value>
A saved search that generates options for the radio buttons.

fieldForLabel: Required. Field extracted from the populating saved search and placed as the label for the generated radio button.

fieldForValue: Required. Field extracted from the populating saved search and placed in the value of the generated radio button.

Create a dynamic form search using drop-downs

You can create a dynamic form search that is populated using a dropdown list. You specify a search to populate the choice in the list. A user selects from the list to drive the search results.

Dynamic form search example

1. Use a simple form search to get started.

<form>
 <label>Username</label>
 <searchTemplate>sourcetype=logins $username$</searchTemplate>  
 <fieldset>
  <input type="text" token="username" />
 </fieldset>
    
 <row>
  <event>
    <option name="count">100</option>
   </event>
  </row>
</form>

2. Change the input from a text box to dropdown list. Add a <populatingSearch> to generate the options for the list.

. . .
<input type="dropdown" token="username">
   <label>Select Name</label>
   <populatingSearch fieldForValue="suser" fieldForLabel="suser">
      <![CDATA[sourcetype=p4change 
      | rex "user=(?<suser>\w+)@"
      | stats count by suser]]>
    </populatingSearch>
</input>
. . .

3. Display the results in a table. The following is the complete dynamic form search.

<form>
  <label>Username</label>
  <searchTemplate>sourcetype=logins $username$</searchTemplate>  
  <fieldset>
    <input type="dropdown" token="username">
       <label>Select Name</label>
       <populatingSearch fieldForValue="suser" fieldForLabel="suser">
          <![CDATA[sourcetype=p4change 
          | rex "user=(?<suser>\w+)@"
          | stats count by suser]]>
        </populatingSearch>
    </input>
  </fieldset>

  <row>
    <table>
      <title>Users</title>
        <option name="showPager">true</option>
      </table>
  </row>
</form>

Dropdown list configuration

There are several configurations available for <input type="dropdown">.

Tag Description
<label> String.

A label for the dropdown list.

<default> The default option to select.

If the default option cannot be found, the first option is selected.

<prefix> Search terms

Prefix the search query with the specified search terms.

<suffix> Search terms

Place the specified search terms after the search query.

<choice value=value> String representing an option for the dropdown list.

Options appear in the order they are defined, and before any options generated by a search specified by <populatingSearch>.

<populatingSearch
  fieldForLabel=label
  fieldForValue=value>
  earliest=timeformat>
  latest=timeformat>
A search that generates options for the dropdown list.

fieldForLabel: Required. Field extracted from the populating search and placed as the label for the list option.

fieldForValue: Required. Field extracted from the populating search and placed in the value of the generated list option.

latest
earliest
: Optional. Restrict search results to a specific time window, specifying one or both of these attributes. For example, specify earliest="-7d" latest="-1d". Specify "rt" to enable real-time searches.

<populatingSavedSearch
  fieldForLabel=label
  fieldForValue=value>
A saved search that generates options for the dropdown list.

fieldForLabel: Required. Field extracted from the populating saved search and placed as the label for the list option.

fieldForValue: Required. Field extracted from the populating saved search and placed in the value of the generated list option.

Drive multiple panels in a form

You can use post process to drive multiple panels in a search form. Post process allows you to reformat reporting results from the search. When you use post process, the base search must be a reporting search.

This means you can create tables and charts according to specific criteria. For example, you can create various tables that are sorted on different columns, hide some columns, or filter rows that match some criteria. You can also do further aggregation on the original report.

Caution: A post process search has an unconfigurable limit of 10,000 event or results that can be passed to it. Objects in excess of this 10,000 object limit are not processed, resulting in incomplete results.

If the base search that you post process is not a search that generates reports, the results of the post process could be wrong.

See How to use one search for a whole dashboard for more information on post processing searches.

Use the same search in multiple panels

You can configure one search to drive multiple outputs. This example has one base search that takes in a single search term. It then drives two separate searches that contain tokens matching user-entered values in the fieldset of the form. These panels display the results in a table panel and a chart panel.

Note: The token attribute of each distinct search must match at least one of the input nodes defined within the fieldset.
<form>
  <label>Form search example - inverted flow, panel-defined search</label>

  <!-- Define a common form search input for the panels below -->
  <fieldset>
    <input type="text" token="username">
      <label>Global username</label>
      <default>*</default>
      <seed>claire</seed>
    </input>

    <input type="time" />

  </fieldset>

  <row>
    <chart>
      <title>Commits over time</title>
      <searchTemplate>
        index=access_logs user=$username$ | timechart count
      </searchTemplate>
      <option name="charting.chart">area</option>
    </chart>
    
    <table>
      <title>Top files touched by the user</title>
     <searchTemplate>
        index=access_logs user=$username$ | top filePath
     </searchTemplate>
      </table>
  </row>

</form>

Single-search, multi-post process

This example takes a single search and displays different facets of that search through post-processing. It combines the searches in the previous example into one search.

The form search returns one result set. The searchPostProcess node inside each panel takes the results and runs (post processes) them through a separate search pipeline.

The basic model is:

  1. Create a base search seeded in the searchTemplate node that returns a report with a superset of data.
  2. Create searchPostProcess nodes to filter or aggregate the base report.


<form>
  <label>Form search example - inverted flow, panel-defined post-process</label>

  <!-- Define a search that returns a single result set. -->
  <!-- The subsequent panels choose specific results to display -->
  <searchTemplate>
    sourcetype=p4change OR sourcetype=jira user=$username$ | head 10000
  </searchTemplate>

  <fieldset>
    <input type="text" token="username">
      <label>Global username</label>
      <default>NON_EXISTENT</default>
      <seed>johnvey*</seed>
    </input>
    <input type="time" />
  </fieldset>

  <row>
    <chart>
      <title>Commits over time</title>
      <searchPostProcess>timechart count</searchPostProcess>
      <option name="charting.chart">area</option>
    </chart>
    
    <table>
      <title>Top files touched by the user</title>
       <searchPostProcess>top filePath</searchPostProcess>
    </table>
  </row>

  <row>
    <table>
      <title>Users vs changetype</title>
      <searchPostProcess>ctable user changetype maxcols=4</searchPostProcess>
      <option name="count">20</option>
    </table>
  
    <chart>
      <title>Average lines added by the user</title>
      <searchPostProcess>timechart avg(added)</searchPostProcess>
      <option name="charting.chart">line</option>
      <option name="charting.legend.placement">none</option>
    </chart>
  </row>

</form>

Form search examples

These three examples show how to build different types of form searches using simple XML. There are additonal examples in the Splunk Dashboard Examples app, available from Splunkbase.

Simple table

This example shows how to create a simple form that searches for one field, sourcetype. Results from the search are displayed as a table with 50 rows maximum.


Form1.png


1. Create the form, give it a label, and specify the searchTemplate – the search that is the basis for the form:

<form>
  <label>Simple table</label>
  <searchTemplate>
    index=_internal source=*metrics.log group=per_sourcetype_thruput 
    series="$sourcetype$" | head 1000
  </searchTemplate>
  <earliestTime>-30d</earliestTime>
  <latestTime>-0d</latestTime>
...


2. (Optional) Add an HTML panlel to display useful information – instructions on how to create a search:

  . . .
  <html>
    Enter a <code>sourcetype</code> in the field below. 

    This view returns the most recent 1000 events from the metrics log 
    referring to that <code>sourcetype</code>.
  </html>
  . . .


3. Set up an input. This example creates an input box that replaces the $sourcetype$ token in the searchTemplate above.

  . . .
  <fieldset>
      <input token="sourcetype" />
  </fieldset>
  . . .


4. Display the results in a table.

  . . .
  <row>
      <table>
        <title>Matching events</title>
        <option name="count">50</option>
      </table>
  </row>
</form>

Multiple inputs

This example shows how to take multiple inputs to build a form search. It also shows how to add a time range picker, which allows users to pick a time range for their search.

Form2.png


1. Set up a searchTemplate that creates two tokens:

$series$
$otherFilter$

The search does not include time specifications – users can select from the time range picker:

<form>
  <label>Multiple inputs</label>
  <searchTemplate>
    index=_internal source=*metrics.log 
    group="per_sourcetype_thruput" series=$series$ $otherFilter$ 
    | fields eps, kb, kbps
  </searchTemplate>


2. Create a text box; upon first load, the box populates with 'splunkd'. If the user leaves the box empty, then the search uses '*'. This example always prefixes the token 'otherFilter' with 'eps>' – if no value is entered, 'eps>-1' is inserted. Specify the time range picker.

  <fieldset>
      <input type="text" token="series">
        <label>sourcetype</label>
        <default></default>
        <seed>splunkd</seed>
        <suffix>*</suffix>
      </input>
      <input type="text" token="otherFilter">
        <label>events per second greater than:</label>
        <prefix>eps></prefix>
        <default>-1</default>
        <seed>0</seed>
      </input>
      <input type="time" />
  </fieldset>


3. Display the results in a table showing 20 rows per page. A pager allows users to navigate through the results.

  <row>
      <table>
        <option name="showPager">true</option>
        <option name="count">20</option>
      </table>
  </row>
</form>

Inverted flow

This form search is built backwards -- the input comes first and then feeds two separate charts and one table. The charts and table are built from a separate search, each with a searchTemplate that uses the 'sourcetypeToken' text box input.

This example is useful for rendering pages that collate disparate searches that share a common search keyword/token.

Form3.png


1. Define a common form search input that all panels use:

<form>
  <label>inverted flow, panel-defined search</label>
  <fieldset>      
      <input type="text" token="sourcetypeToken">
          <label>sourcetype</label>
          <default>*</default>
          <seed>splunkd</seed>
      </input>

      <input type="time" />

  </fieldset>

. . .


2. Create two separate charts, each with a searchTemplate that uses the input from the form search above with the $sourcetypeToken$.

 
  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>
             index=_internal source=*metrics.log Component=metrics 
             group="per_sourcetype_thruput" series="$sourcetypeToken$" 
             | timechart sum(kb)
          </searchTemplate>
          <option name="charting.chart">column</option>
          <option name="charting.primaryAxisTitle.text">Sourcetype</option>
          <option name="charting.secondaryAxisTitle.text">KB Indexed</option>
          <option name="charting.legend.placement">none</option>
      </chart>

      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>
             index=_internal source=*metrics.log Component=metrics 
             group="per_sourcetype_thruput" series="$sourcetypeToken$" 
             | timechart avg(eps)
          </searchTemplate>
          <option name="charting.chart">area</option>
          <option name="chart.stackMode">stacked</option>
          <option name="charting.primaryAxisTitle.text">Sourcetype</option>
          <option name="charting.secondaryAxisTitle.text">Events per second</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>


3. Display further results in a table, also using the searchTemplate that takes input from form search using the $sourcetypeToken$:

  <row>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>
             index=_internal source=*metrics.log Component=metrics 
             group="per_sourcetype_thruput" series="$sourcetypeToken$" 
             | timechart avg(kbps)
           </searchTemplate>
          <option name="count">20</option>
      </table>
  </row>
  
</form>
PREVIOUS
Dashboard examples
  NEXT
Chart customization

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Is there a complete reference for all of the fieldset inputs? I am specifically looking for the options to Accumulator, but having a list of all inputs would be nice as well.

Richprescott
May 22, 2013

This is great! However, I can't seem to get the tag to work with the time pulldown. Anyone else have this problem?<br /><br />-S.

Sondradotcom
May 17, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters