Johnvey Hwang: Introduction to Form Search

00:00;20
Hi my name Johnvey Hwang I am a platform architect here at splunk and today I’m going to cover a feature that we added recently in 3.1 called form search. And this is a departure from how we do search normally. which is...splunk is a search engine just like google or yahoo which allows you to type in forms freeform but a lot of people like having an easy form based search where there's a couple of boxes to fill in and it returns particular results. what splunk supports is the ability to turn any search that you have into a form-based search so what I’m going to show today is a quick run-through on how to make a form search.

00:01;17
Lets say that I pick the linux audit log and what we have here is a bunch of logs on activity that happens in your system. Lets say you are looking for all the users that happen to log into the system. So we have a key here called “type=USER_START.� Now the typical way of using splunk is you find the key that you’re looking for and you click on it.

00:01:48
So we’ve clicked on “type=USER_START� and the results show a listing of all the events that match this particular type of USER_START. Now one of the things that you may or may not want to do is that you have a very specific search that you do. Say someone calls you and says he’s having trouble logging into the box. He may have a certain piece of information that he can provide and he just says, “oh well this is my ID, I was trying to log into the box and something happened. What you can do is just type it in to the search box up top and you may or may not know what things precede it. And in this case we see... in these events there is a bunch of key value pairs. So inside we have type=, we have msg, we have pid, uid, etc. An easy way to handle this search if you are doing this constantly is to in fact create form search.


00:02:57
For instance if we are looking for a user of 8596, you can come into the search interface and you can click around until you get to your search results and you can type into the box or click it, USER=, pid 8596. However if you’re constantly doing this, it’s a hassle go back and forth, so we’ve created form search which allows you to create a template and say, save the most common elements of your search and leave one particular field empty that gives you a quick access to that particular entry. In this case lets say you want to create a form search where the only thing if have to enter in is a user ID.

00:03;58
Lets start by using the form search syntax. So as you can see at the end of you search we start by appending a token as we call it and the token is delineated by two dollar signs. So to start dollar sign, customer id and we finish it off with a dollar sign. once I finish it with a dollar sign you notice there is a link that shows up down below that says show us form. This appears whenever you have a valid token in your search string, so again the token is delineated by these two dollar signs. If you click on the link you will see what happens is the interface to the search changes so that now we have a single box labeled costumer ID and what the system is doing is it is masking the rest of the search and only exposing the single field that you have chosen.

00:05;04
So an example for this would be your first year support staff, if they’re fielding a lot of tech support calls and a common thing is to look a particular persons account or particular transaction; their search may require a lot of terms, but for the purposes of assisting customers, you don’t really need that information. The less information the less variables you have in your search will make your job easier or the job easier for your support staff.

00:05;39
Now if we click the link that says “show as text’ again, you’ll flip back and see again the original search terms of “source type� and “type� show up and the customer ID is still there. So we’ll go ahead and do a quick search and we’ll say customer ID 8596 and you’ll notice type ahead appears as is does on the usual product. So running a search will return what we expected and what happens in the background is the form search here stays as it was, but in the background what the splunk interface does is it actually does is it substitutes the 8569 value into that search string. And you can create as many fields as you want, so if you flip back to this you can add other fields like...you can say customer type or you can say day of the week and each one of these tokens will let me translate it into its corresponding field.

00:07;02
So we’ve include three different fields each of these in their own token strings and when you click show us form you will notice that these three fields will show up as individual text boxes. And again you fill these fields in and and each of these will be replaced they will be inserted into the original search string and be passed on to the server. This is great for single text replacement if you happen to know or if its feasible for you to do single text replacements. But for instance of you are not really sure of the type, or there are certain searches that you do very commonly but it flips between a few different modes. So in addition you have “type=user end� in addition to “type=user start�, one thing you can do is have form search create a dynamic drop down box. So lets create an example where you select one of the types you want to be searching on. So again we start with our token with is our dollar sign. We give it a label: “customer type� but instead of just ending it with a dollar sign we insert a equals and what this does is it tells the splunk UI that you now have a controlled list of values that you want to pass to it. So in our case we have “user underscore end,� and when you want to add a new item to the list you just use a coma, so “user_start�. And lets just start with those two options. So we close that with a token, another dollar sign and we flip over to form search mode and you notice that instead of a text box, you have a drop down box with two values, and those are the two values that you specified.

00:09;13
So this allows you to narrowly define a particular form search so that your most frequently used values can be accessed not by typing but by using a drop down box. So now we can continue with are usual customer ID field and so now we have combined two different types. We have a drop down box saying you want to look at when the user started or ended, and give the actual ID number.

00:09;54
So lets say, lets use our guy “9630�. So this is great you are able to type these things in but the most important part it being able to save this particular search because you want to be able to access this thing at any particular point. And so these form searches are nothing more than a normal save search so using the typical routine, once you are satisfied with your search string then you can go ahead and click save search from the actions menu. So once you click save search, lets call this customer look up and go ahead and save that.

00:11;11
So now that this is saved, when you flip over to show as form you’ll notice at the top of it, it’s now labeled as customer look up and a new link shows up called permalink and this gives you two options on how to access this later. So the first option, let us reset, and say your fireing up splunk for the first time and you remember oh I have my I have my saved form, you click on the list of saved searches under the main actions menu and we have customer look up. So if you select that it automatically drops you into the form search for customer look up.

00:11;57
Now additionally if you want to send this link around in an email for instance, you can also click permalink so now you’ll notice what happens in the URL, you now have a permalink that you can cut and paste into your email and anytime anyone clicks on this link provided they have the right log in credentials will automatically be sent over to this particular form.

00:12;24
This is the basic entry point for doing form search. In the next installment we will go over how to populate using these drop down boxes using dynamic values. For instance if you have a LDAP user directory, you can dynamically populate the values of the drop down list your user names for instance that are pulled from an external data source. So until next time.

©2007 Splunk