topic Re: Prevent Wildcard In User Input in Splunk Search

Prevent Wildcard In User Input

JohannLiebert92 — Fri, 09 Jun 2017 09:47:13 GMT

Hi everyone,

I've developed a dashboard with text input for my user. However, I do not want my users to use wildcard in the input, is there any way to disable/prevent user from using wildcard (*)?

Thanks!!

Re: Prevent Wildcard In User Input

BlueSocket — Fri, 09 Jun 2017 10:01:04 GMT

Hi,

Could you provide a drop down which is populated with all of the possible search items? Or are you looking for validation of input fields before they are submitted?

Re: Prevent Wildcard In User Input

JohannLiebert92 — Fri, 09 Jun 2017 10:11:57 GMT

Hi BlueSocket,

Thanks for the quick response. I'm actually looking for a relatively straightforward way (if any) to prevent user from using wildcard in Text Input. But I think you just enlightened me to use drop down instead for that purpose. (I guess input validation with js would work for Text Input too). Thanks!!

Re: Prevent Wildcard In User Input

BlueSocket — Fri, 09 Jun 2017 10:15:21 GMT

It's easier to do the drop down, seriously

Re: Prevent Wildcard In User Input

christopher_mcc — Wed, 22 Nov 2017 18:42:44 GMT

Preventing wildcards in dashboard text form fields is relatively easy. Example preventing * asterisks from being entered. The result is a bold red error message and the search is not executed.

<input type="text" token="user_name">
  <label>Username</label>
      <change><!--event trigger on submit to check for * in the user_name field-->
      <condition match="not like($value$,&quot;*&quot;)">
        <!--if input contains *, eval sets a token which stops the search and displays the html reject-->
       <set token="logLevelTok">$value$</set>
    </condition>
    <condition><!--no * is in user_name field-->
       <unset token="logLevelTok"></unset>
    </condition>
   </change>
</input>
  <html rejects="$logLevelTok$">
     <div>
       <p style="color:red;font-weight:bold;font-size:150%;text-align:left;">
       Asterisks &quot;*&quot; are not permitted.
       </p>
     </div>
  </html>

,If you need an input text form field, you can prevent wildcards by tokens and conditions. Example:

<input type="text" token="user_name">
  <label>Username</label>
      <change><!--event triggered by submit, checks user_name field for astericks-->
      <condition match="not like($value$,&quot;*&quot;)">
        <!--if input contains *, eval sets a token which stops the search and displays the html reject-->
       <set token="logLevelTok">$value$</set>
    </condition>
    <condition><!--no * is in user_name field-->
       <unset token="logLevelTok"></unset>
    </condition>
   </change>
</input>
  <html rejects="$logLevelTok$">
     <div>
       <p style="color:red;font-weight:bold;font-size:150%;text-align:left;">
       Asterisks &quot;*&quot; are not permitted.
       </p>
     </div>
  </html>

The output is bold letters warning the user about wild cards just below the form field.

Re: Prevent Wildcard In User Input

niketn — Wed, 22 Nov 2017 22:55:29 GMT

Option 1: Using eval with case() to set the token if asterix is not entered in the text box

<form>
  <label>Text Box validation</label>
  <fieldset submitButton="false">
    <input type="text" token="selText">
      <label>Enter Log Level (like INFO, WARN, ERROR, FATAL etc)</label>
      <change>
        <eval token="tokLogLevel">case(len($value$)&gt;0 AND NOT like($value$,"%*%"),$value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html rejects="$tokLogLevel$">
        <div style="color:red;text-align:center;font-weight:bold;font-size:150%">
          Log Level does not accept asterix (*)!!!
        </div>
      </html>
      <table depends="$tokLogLevel$">
        <title>Log Level Volume</title>
        <search>
          <query>index="_internal" sourcetype=splunkd log_level="$tokLogLevel$"
          | stats count by log_level
          | appendpipe [| makeresults
          | eval log_level="$tokLogLevel$",count=0
          | fields - _time]
          | dedup log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Following is the run anywhere dashboard based on one of my previous answers: https://answers.splunk.com/answers/513440/how-to-validate-text-field-token-without-using-jav.html (I had assumed in my answer that SimpleXML will use JavaScript regular expression and match would work asterix but it did not 😞 )

Second Option: Using Dummy Search with eval match() to set the token if asterix is not entered in the text box:

<form>
  <label>Text Box validation Option 2</label>
  <fieldset submitButton="false">
    <input type="text" token="selText" searchWhenChanged="true">
      <label>Enter Log Level (like INFO, WARN, ERROR, FATAL etc)</label>
    </input>
  </fieldset>
  <search>
    <query>|  makeresults
|  eval testData="$selText$"
|  eval tokLogLevel=case(len(testData)&gt;0 AND match(testData,"^[^\*]+$"),testData)
|  table testData tokLogLevel
    </query>
    <done>
      <condition match="isnull($result.tokLogLevel$) OR isnull($form.selText$)">
        <unset token="tokLogLevel"></unset>
      </condition>
      <condition>
        <set token="tokLogLevel">$result.tokLogLevel$</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <html rejects="$tokLogLevel$">
        <div style="color:red;text-align:center;font-weight:bold;font-size:150%">
          Log Level does not accept asterix (*)!!!
        </div>
      </html>
      <table depends="$tokLogLevel$">
        <title>Log Level Volume</title>
        <search>
          <query>index="_internal" sourcetype=splunkd log_level="$tokLogLevel$"
          | stats count by log_level
          | appendpipe [| makeresults
          | eval log_level="$tokLogLevel$",count=0
          | fields - _time]
          | dedup log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>