Re: Dashboard text input - accepting null and esca...

PleaseHelp · ‎05-21-2025

Hi,

My dashboard has a few text boxes and I'm trying to make the inputs as user friendly as possible.

I came across multiple issues which I have solved with previous posts however, there is a conflict with the solutions that prevent me from implementing both at the same time.

#1 - If a text input is empty then that field should be ignored in the search. This can be fixed by adding a prefix and suffix

Ideally we can also input partial paths so there is also an implicit * character.

    <input type="text" token="Get_Process_Path">
      <label>Process Name or Path</label>
      <prefix>process_path="*</prefix>
      <suffix>*"</suffix>
    </input>

https://community.splunk.com/t5/Dashboards-Visualizations/Evaluating-form-field-if-not-null/td-p/181...

#2 - Interpret back slash characters as text so we don't need to manually add \\ to every path. The |s filter for tokens fixed this.

process_path=$Get_Process_Path|s$

https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-escape-backslashes-in-user-inpu...

I can get both of these working on their own but not at the same time. Is there a way to do this or do I need a different approach?

Thanks.

ITWhisperer · ‎05-21-2025

Why are you using

proces_path=$Get_Process_Path|s$

if $Get_Process_Path$ already has the process_path="* prefix? Is this what is causing the issue?

PleaseHelp · ‎05-22-2025

Hi,

I have tried this without the proces_path= assignment since that is in the prefix, so just $Get_Process_Path|s$

Here is a snippet:

<input type="text" token="Get_Process_Path">
<label>Process Name or Path</label>
<prefix>process_path="*</prefix>
<suffix>*"</suffix>
</input>

<query>index=windows EventCode=4688
$Get_Process_Path|s$

This will break the search, I believe it's because |s is wrapping additional quotes around what is in the prefix.

But I need both of those things to fix the individual issues.

bowesmana · ‎05-22-2025

See this example dashboard - this uses a <change> block on the input to change the token

<form version="1.1" theme="light">
  <label>Backslash escaped input</label>
  <fieldset submitButton="false">
    <input type="text" token="Get_Process_Path" searchWhenChanged="true">
      <label>Enter Path</label>
      <prefix>process_path="*</prefix>
      <suffix>*"</suffix>
      <change>
        <eval token="escaped_path">replace($Get_Process_Path$, "\\\\", "\\\\")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>Token created from the user's input is <b style="color:blue">[$Get_Process_Path$]</b> and the up[dated search token applied is <b style="color:red">[$escaped_path$]</b></html>
      <table>
        <search>
          <query>index=_audit $escaped_path$</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Dashboard text input - accepting null and escaping back slashes

Classic dashboard

table

token

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?