SPLK-1004 Using Forms

Using Forms Detailed Explanation

1. Forms in Dashboards

In Splunk, forms refer to interactive dashboards that include input fields. These inputs allow users to:

• Filter the data shown in charts and tables

• Enter custom search parameters (like usernames, IPs, or keywords)

• Select time ranges or categories

• Control which panels are displayed or updated

Forms make dashboards dynamic and user-friendly, turning static views into powerful tools for investigation and monitoring.

Form inputs are placed in the form section of the dashboard XML and pass values to the search panels via tokens.

2. Supported Input Types

Splunk supports a variety of input controls for building flexible and responsive dashboards.

a) Text Boxes

• Free-text input from users

• Useful for keyword searches, usernames, IPs, etc.

Example:

<input type="text" token="username">
  <label>Enter Username</label>
</input>

b) Drop-down Menus

• User selects one option from a predefined or dynamic list

• Can be populated from search results or static values

Example:

<input type="dropdown" token="status">
  <label>Select Status</label>
  <choice value="200">OK</choice>
  <choice value="404">Not Found</choice>
</input>

c) Checkboxes

• Allow selecting multiple values

• Good for multi-select filters (e.g., regions, categories)

Example:

<input type="checkbox" token="region">
  <label>Select Region(s)</label>
  <choice value="us">US</choice>
  <choice value="eu">Europe</choice>
</input>

d) Time Pickers

• Let users choose a time range

• Directly controls earliest and latest search parameters

Example:

<input type="time" token="time_range">
  <label>Select Time Range</label>
</input>

Time pickers are essential in most dashboards for narrowing down search scope and improving performance.

3. Token Usage

Tokens are placeholders that get replaced with user input at runtime.

Syntax:

$token_name$

These tokens are used inside search queries to dynamically adjust based on user interaction.

Example Use Case:

<search>
  <query>index=main status=$status$</query>
</search>

• The $status$ token will be replaced by the value selected in the drop-down.

• If the user selects 200, the query becomes:

index=main status=200

You can also use tokens in:

• Chart titles

• Conditional logic

• Panel visibility

4. Default and Dependent Inputs

a) Set Default Values

You can configure default values for any form input, ensuring that the dashboard loads with valid parameters even before any user interaction.

Example:

<input type="dropdown" token="status">
  <default>200</default>
  ...
</input>

This helps:

• Prevent empty results on initial load

• Provide context to new users

• Improve dashboard usability

b) Dependent Inputs (Conditional Filters)

Sometimes one input should be dependent on another — for example, a second drop-down should populate only after the first one is selected.

This can be done using search-driven inputs and token chaining.

Example:

<input type="dropdown" token="service">
  <label>Select Service</label>
  <choice value="web">Web</choice>
  <choice value="db">Database</choice>
</input>

<input type="dropdown" token="endpoint">
  <label>Select Endpoint</label>
  <search>
    <query>index=main service=$service$ | stats count by endpoint</query>
  </search>
</input>

Here, the endpoint drop-down depends on the selected service.

Summary Table: Forms and Inputs

Feature	Description
Form Dashboard	Interactive dashboard that uses input fields
Text Box	User enters custom values
Drop-down Menu	User selects one value from a list
Checkboxes	User selects multiple values
Time Picker	Allows user-defined time filtering
Tokens	Dynamic values passed from inputs to search panels
Default Values	Predefined input values on dashboard load
Dependent Inputs	Inputs that update based on another input’s value

Using Forms (Additional Content)

1. <default> vs <initialValue>

Splunk form inputs support two mechanisms to pre-populate values: <default> and <initialValue>. Understanding their difference is crucial for both UX design and exam accuracy.

<default>

• Applies persistently after refreshes

• Resets the token to the default value on each load

• Useful when you want the dashboard to always start in a known state

<initialValue>

• Only applies on first load

• Once a user changes the input, the value is retained even across refreshes

• More flexible for user-driven workflows

Example:

<input type="text" token="user">
  <label>Enter Username</label>
  <default>admin</default>
  <initialValue>guest</initialValue>
</input>

• First-time users will see "guest"

• On reload, it reverts to "admin" unless user interaction occurred

Exam Tip: Expect scenario questions asking why a value "reverts" or "persists" across sessions.

2. Token Types

Splunk dashboards use tokens to pass values between inputs, panels, and logic. It's important to distinguish between token types:

a) Form Input Tokens

• Triggered by inputs like drop-downs or text fields

• Example: $user$ (from a username text input)

b) Drilldown Tokens

• Triggered by user interactions with visualizations

• Examples:

  • $click.value$: Value clicked in a chart

  • $row.status$: Field from a clicked table row

c) Global Tokens

• Accessible across the entire dashboard (not restricted to one panel)

• Often set using <set token="token_name" scope="global">...</set>

These distinctions are useful when controlling token scope and behavior, especially across multiple panels or drilldown-linked dashboards.

3. Conditional Panels with depends

Splunk provides a native way to show or hide panels based on the presence or value of a token. This is done using the depends attribute.

Syntax Example:

<panel depends="$user$">
  <title>Details for $user$</title>
  <table>
    <search>
      <query>index=auth user="$user$"</query>
    </search>
  </table>
</panel>

• The panel only appears if the $user$ token has a value

• Useful for:

  • Drilldown response panels

  • Progressive disclosure (advanced filters)

Exam Tip: Scenario-based questions may ask how to hide/show panels based on input—depends="$token$" is the expected solution.

4. choice value vs label in Inputs

When defining drop-downs or checkboxes, both a label and a value can be specified.

Definition:

• value: The actual content assigned to the token (used in search logic)

• label: The user-facing display text in the dashboard

Example:

<choice value="200">OK (200)</choice>
<choice value="404">Not Found (404)</choice>

If the user selects "Not Found (404)", the token will be set to "404".

Important Distinctions:

• Search queries use the value

• UI elements display the label

Exam Tip: Questions may ask:

“What value is passed to the token when a drop-down is used?”

→ The correct answer is the value, not the label.

Additional Practical Tips

• Always use default or initial values to avoid blank tokens at load time

• Use field-based token chaining with drilldowns for dynamic dashboards

• Design for token reset behavior to avoid stale values when switching contexts

Conclusion

Understanding forms in Splunk means more than just using inputs. It involves:

• Managing token lifecycles and types

• Configuring display vs logic values correctly

• Controlling panel visibility through token states

• Creating predictable, user-friendly, and testable interfaces

Mastery of these details not only improves exam performance but also leads to better real-world dashboard development.