This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Form searches are pages in Splunk Web that let you present a simplified search interface. Instead of requiring your users to type in a full search string every time they want to search on something, form searches let you alias out the part of the search that will remain the same for all users. For example, a tier 1 help desk support team may always search on serial number and user name. You can create a form search that only shows an input for a serial number and a user name so that whenever a tier 1 representative gets a call, he or she can input just the relevant search terms.
There are three different types of form searches, all building on the same basic concept described above:
Simple form search
The most basic form search is one or more text input boxes as described above. These simple form searches are built on the same simplified XML structure as simple dashboards. All the examples in app builder use this simplified XML format.
Dynamic form search
Form searches can contain more than search boxes for text input. Build form searches with drop-downs or radio buttons that display choices from a search. These form searches are called dynamic form searches because the choices are dynamically populated from a search. If you want to build a form search with dynamically populated radio buttons or drop downs, read about dynamic form search.
Advanced form search
If you're comfortable with Splunk's advanced XML syntax, you can build a more sophisticated form search with the ExtendedFieldSearch module within a search view.
Before you build a form search, you should understand the basics of how to build a custom UI in Splunk. Also, you may want to know more about how Splunk's simplified XML works here. Then, decide what your form search will look like, which fields you want to alias out and which you want to accept input from your users.
Form searches are built on fields or other identifiable parts of your data. First, build a search that fits your data and use case. Then, identify which parts of this search can be aliased out and hidden from your user. Finally, build a form search view.
App builder contains three example form searches. One of these is a basic search built on the "from" field in sendmail events. The other two examples contain dynamically populated radio buttons and drop downs. These two form search views present different options in the radio buttons and drop downs depending on your data. Adapt these examples to fit your use case.