Topics

| pdf version

About the Splunk Admin Manual

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Create a form search

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Create a form search

Create a form search the same way you create a saved search, with these additional steps:


  • Decide which parts of the search to turn into variables.
  • Edit the search to be part of variables as form fields by surrounding them with dollar signs ($).

For example, the variable foo with ($) is saved search:


$foo$Search

When the saved search is clicked it will appear as the following:


Image:FormSearch-foo.jpg


Form searches with fields

Create form searches for indexed and extracted fields.


Preface your form field with the field name and surround the form field with quotes.


For example:


index=_internal AND sourcetype=splunkdSearch

can be made into a general (form) search for any sourcetype by adding sourcetype after the indexed field name and surrounding it with dollar signs:


index=_internal AND sourcetype="$sourcetype$"Search

Save this search as Daily indexing volume, and a user running the search sees:


Image:FormSearch-DailyIndexingVolume2.jpg


Form searches with predefined values

You can also specify form searches that have a list of valid values. The form generated will show a drop-down list. For example, the search 


sourcetype=_trade_entry AND TradeID="$Trade ID$" AND TradeType $TradeType=Accepted,Rejected,Hold$

This search limits TradeType to three values and presents them in a drop-down:


Image:FormSearch-SavedSearchDropList.png


Valid values can also come from an external source. For example: 


$user={/static/html/imap.users}$

Note: The external source must be accessible as a URL from the local domain. The file should live in $SPLUNK_HOME/share/splunk/search_oxiclean/static/html, should be a plain text file and contain the values that you want to show in the drop-down list in the following format:


['value1','value2','value3','value4']


Share your form search

Once you have refined your search, you can distribute it to your users.


Save it

  • Save your search via the drop-down arrow next to the search box.
    • From within the form search interface, click click show as text to return to the search box.
    • You can share your saved search with all users.

Permalink it

  • Once you have saved a search, you can permalink to the form search box.
    • View the saved search in the form view mode, and click the permalink option above the form search box. This creates a permalink URL that you can send to other Splunk users.
Retrieved from "http://www.splunk.com/base/Documentation/3.3.3/Admin/CreateAFormSearch"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.