Splunk® Enterprise

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Build a form search using advanced XML

Important notice: The Advanced XML dashboard framework is officially deprecated. For more information, see Advanced XML Deprecation.

You can add a form search to any view using the advanced XML. Advanced form searches use the ExtendedFieldSearch module in the search view template. To read more about search views, see Introduction to advanced views.

Add chrome

Start out your form search view by adding the chrome:

<view onunloadCancelJobs="False" autoCancelInterval="100">
  <!--  autoCancelInterval is set here to 100  -->
  <label>Sample search</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>

Add a form search pattern

All form searches include a form search pattern, which are available from the following modules:

Module Description
HiddenSearch Specifies the base search for your form search. Make sure you specify tokens correctly. For example, $mytoken$
ExtendedFieldSearch Maps the term for replacement from your search. There are several parameters to set with this module.
EventsViewer (or other module to display results) Specify a module to display the results.

The following example is a basic configuration of the ExtendedFieldSearch module. The parent module is a HiddenSearch. The intention and replacementMap parameters each take additional parameters to set up the form input.

  <module name="HiddenSearch" layoutPanel="mainSearchControls">
    <param name="search">sourcetype=$st$</param>

    <module name="ExtendedFieldSearch">
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
            <param name="st">
                <param name="default">apache_error</param>
            </param>
        </param>
      </param> <!-- End param intention-->

      <param name="replacementMap">
        <param name="arg">
          <param name="st">
              <param name="value"></param>
          </param>
        </param>
      </param> <!-- End param replacementMap -->

      <param name="field">Sourcetype</param>

      <module name="EventsViewer" layoutPanel="resultsAreaLeft">
        <param name="segmentation">full</param>
      </module>
    </module> <!-- End ExtendedFieldSearch-->
  </module> <!-- End HiddenSearch -->

Advanced examples

There are many ways to configure a form search using advanced XML. Here are a few examples to get you started.

Use wildcards

This example shows how to use wildcards with a token.

...
  <module name="HiddenSearch" layoutPanel="mainSearchControls">
    <param name="search">sourcetype=apache_error *$target$*</param>

    <module name="ExtendedFieldSearch">
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
            <param name="target">
                <param name="default">500</param>
            </param>
        </param>
      </param>

      <param name="replacementMap">
        <param name="arg">
          <param name="target">
              <param name="value"></param>
          </param>
        </param>
      </param>

      <param name="field">Wildcard search</param>

      <module name="EventsViewer" layoutPanel="resultsAreaLeft">
        <param name="segmentation">full</param>
      </module>

    </module> <!-- End ExtendedFieldSearch -->
  </module> <!-- End  HiddenSearch -->

Use two variables

The following example takes two separate tokens as input.

  <module name="HiddenSearch" layoutPanel="mainSearchControls">
    <param name="search">sourcetype=apache_error $error$ $hours_ago$</param>

    <module name="ExtendedFieldSearch">
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
            <param name="error">
                <param name="fillOnEmpty">True</param>
            </param>
        </param>
      </param>

      <param name="replacementMap">
        <param name="arg">
          <param name="error">
              <param name="value"></param>
          </param>
        </param>
      </param>

      <param name="field">Multiple replace (apache search)</param>

      <module name="ExtendedFieldSearch">
        <param name="intention">
          <param name="name">stringreplace</param>
          <param name="arg">
              <param name="hours_ago">
                  <param name="fillOnEmpty">True</param>
                  <param name="prefix">starthoursago=</param>
              </param>
          </param>
        </param>

        <param name="replacementMap">
          <param name="arg">
            <param name="hours_ago">
                <param name="value"></param>
            </param>
          </param>
        </param>

        <param name="field">Multiple replace (starthoursago)</param>

        <module name="EventsViewer" layoutPanel="resultsAreaLeft">
          <param name="segmentation">full</param>
        </module>

      </module> <!-- End ExtendedFieldSearch -->
    </module> <!-- End ExtendedFieldSearch -->
  </module> <!-- End HiddenSearch -->

Use ORs

The following example shows how to build a search with ORs.

The desired search string is:

eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" OR user="$User$"

You can approximate the search string using the stringreplace parameter to intention's prefix and suffix parameters to intention where $User$ is prefixed with OR user=" and suffixed with ":

eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$

  <module name="HiddenSearch" layoutPanel="mainSearchControls">
    <param name="search">
       eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$
    </param>

    <module name="ExtendedFieldSearch">
      <param name="field">SourceIP</param>

      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
            <param name="SourceIP">
                <param name="fillOnEmpty">True</param>
                <param name="value"></param>
            </param> <!-- End SourceIP -->
        </param> <!-- End arg -->
      </param> <!-- end intention -->

      <param name="replacementMap">
        <param name="arg">
          <param name="SourceIP">
              <param name="value"></param>
          </param> <!--End SourceIP -->
        </param> <!--End arg -->
      </param> <!-- replacementMap-->

      <module name="ExtendedFieldSearch">
        <param name="field">User</param>

        <param name="intention">
          <param name="name">stringreplace</param>
          <param name="arg">
              <param name="User">
                  <param name="fillOnEmpty">True</param>
                  <param name="prefix">OR user="</param>
                  <param name="suffix">"</param>
              </param> <!--End User -->
          </param> <!--arg -->
        </param> <!-- end intention -->

        <param name="replacementMap">
          <param name="arg">
            <param name="User">
                <param name="value"></param>
            </param><!--End User -->
          </param> <!--End arg -->
        </param> <!-- replacementMap-->

        <module name="EventsViewer" layoutPanel="resultsAreaLeft">
          <param name="segmentation">full</param>
        </module> <!-- End EventsViewer -->

      </module> <!-- End ExtendedFieldSearch -->
    </module> <!-- End ExtendedFieldSearch -->  
  </module> <!-- End HiddenSearch -->

Reuse the same token

This example reuses the same token for two different parts of the search:

...
  <module name="HiddenSearch" layoutPanel="mainSearchControls">
    <param name="search">eventtypetag=config_file source=$File$ OR $File$</param>
    <module name="ExtendedFieldSearch">
      <param name="field">File</param>
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
            <param name="File">
                <param name="value"></param>
            </param>
        </param>
      </param>
      <param name="replacementMap">
        <param name="arg">
          <param name="File">
              <param name="value"></param>
          </param>
        </param>
      </param>
        <module name="EventsViewer" layoutPanel="resultsAreaLeft">
          <param name="segmentation">full</param>
        </module>
      </module>
  </module>
...
Last modified on 13 August, 2019
PREVIOUS
Build a dashboard using advanced XML
  NEXT
Use XML schemas

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters