Form searches
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Contents
Form searches
Form searches are saved searches that appear as forms when run. Save any search with parameters to be specified by the user running the search. The user fills in the parameters before running the search. You can create a sophisticated saved search and save it as a form with as many form fields as you like.
For example, you can define a search that returns all Web server errors for any username to be specified at search time:
503 OR 500 OR 404 sourcetype=access_common $user$
When run, this search appears as a form labeled user.
The search 503 OR 500 OR 404 sourcetype=access_common is still part of the search, but does not appear to the user.
Note: Form search works via text substitution, so the form fields can consist of anything, not just an indexed or an extracted field.
Create a form search
Create a form search the same way you create a saved search, with these additional steps:
- Decide which parts of the search to turn into variables.
- Specify variables as form fields by surrounding them with dollar signs ($).
For example, the search
$foo$will appear as the following:
Form searches with fields
Create form searches for indexed and extracted fields.
Preface your form field with the field name and surround the form field with quotes.
For example:
index=_internal AND sourcetype=splunkdcan be made into a general (form) search for any sourcetype by adding sourcetype after the indexed field name and surrounding it with dollar signs:
index=_internal AND sourcetype="$sourcetype$"Save this search as Daily indexing volume, and a user running the search sees:
Form searches with predefined values
You can also specify form searches that have a list of valid values. The form generated will show a drop-down list. For example, the search
sourcetype=_trade_entry AND TradeID="$Trade ID$" AND TradeType $TradeType=Accepted,Rejected,Hold$
This search limits TradeType to three values and presents them in a drop-down:
Valid values can also come from an external source. For example:
$user={/static/html/imap.users}$
Note: The external source must be accessible as a URL from the local domain. The file should live in $SPLUNK_HOME/share/splunk/search_oxiclean/static/html, should be a plain text file and contain the values that you want to show in the drop-down list in the following format:
['value1','value2','value3','value4']
Share your form search
Once you have refined your search, you can distribute it to your users.
Save it
- Save your search via the drop-down arrow next to the search box.
- From within the form search interface, click click show as text to return to the search box.
- You can share your saved search with all users.
Permalink it
- Once you have saved a search, you can permalink to the form search box.
- View the saved search in the form view mode, and click the permalink option above the form search box. This creates a permalink URL that you can send to other Splunk users.