Dashboards & Visualizations

How to allow wildcard inputs in a dashboard input textbox, but not allow just "*" (star) to be entered?

Glasses
Builder

Hi,

I am having no luck with a dashboard input restriction.

I have a dashboard textbox input that queries a lookup.   For instance, the input could be "hostname".   I want the user to be able to put in the exact value or partial with a wildcard "*".  So if hostname = 12345ABCD, they could enter the exact or 12345A*  and return all those that match.   BUT I don't want them to just enter hostname = "*"   and pull everything back.

Any ideas how to sanitize the inputs so a user cannot just use "*" star?

Thank you

Labels (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Yes I can.

Try this

| inputlookup <host-identity-lookup> 
| search $field_tok$=[|makeresults | eval search=if("$value_tok$"="*" ,"","$value_tok$") | table search]
| fields hostname fooNumber barID .... etc

View solution in original post

jeffland
SplunkTrust
SplunkTrust

I see there are existing answers that handle the logic in a search in SPL. For the question asked, I would prefer to handle the logic on the dashboard. Here's how I'd do it:

 

<fieldset submitButton="false">
    <input type="text" token="raw_tok">
      <label>Search for something</label>
      <change>
        <condition match="match(value, &quot;^\\*$&quot;)">
          <unset token="target"></unset>
        </condition>
        <condition value="*">
          <set token="target">$value$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel rejects="$target$">
      <html>
        <p>Please use wildcards only after at least specifying part of a value, such as "something*"</p>
      </html>
    </panel>
    <panel depends="$target$">
      <table>
        <search>
          <query>| makeresults | eval foo = "something_123" | search foo="$target$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

In addition to keeping the logic on the dashboard, this will only create a search job when the condition is met, otherwise it would wait for the unset token to be filled. Using the dashboard eval logic also allows to e.g. check for a minimum input length or other conditions. More details in docs for eval and match.

Obvious reminder that this is not a security feature, only a UI limitation on this dashboard - your users can of course still open a working search and change the SPL to search for "*", or not filter at all.

somesoni2
SplunkTrust
SplunkTrust

How about this? (you can't modify a token from a search)

| inputlookup <host-identity-lookup> 
| search $field_tok$ IN ([|makeresults | eval search= if("$value_tok$"="*" ,"","$value_tok$")| table search]) 
| fields hostname fooNumber barID .... etc

 

0 Karma

Glasses
Builder

yes "cannot modify token from a search" was part of the problem, will try your logic and get back to you.  TY!!

0 Karma

Glasses
Builder

keep getting error in eval command, expression is malformed. Expected ).

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I created a sample dashboard with similar logic and it works there. Please compare the logic/syntax with your query and see if there is any difference.

<form theme="dark">
  <label>Sample Dashboard</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="hostname">
      <label>Search Filter:</label>
      <default></default>
     
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Token=$hostname$</title>
      <table>
        <search>
          <query>index=_internal | search host IN ([|makeresults | eval search= if("$hostname$"="*" ,"","$hostname$")| table search])   | timechart count
| sort -_time</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

Glasses
Builder

yeah had a syntax error that cleared after I relaunched the dashboard (weird).

The logic works to prevent entering only "*" but for some reason now   partial hostname values  <foo>*  does not work. 

Can you wildcard in your dashboard?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes I can.

Try this

| inputlookup <host-identity-lookup> 
| search $field_tok$=[|makeresults | eval search=if("$value_tok$"="*" ,"","$value_tok$") | table search]
| fields hostname fooNumber barID .... etc

Glasses
Builder

Thank you so much!!!

OMG, I must have had a whitespace or something copied in wrong to the dash bc I kept getting errors.

After copy/paste your code, it worked rather than editing mine (weird).

Just fyi , in my dashboard when the "'' (double quote as none) is used I get an error>> Comparator "=" is missing a term, that is after a single * is entered as the user input.

 so I swapped with "NULL" and you don't see the error...

 

 

[|makeresults | eval search=if("$value_tok$"="*" ,"","$value_tok$") | table search]


[|makeresults | eval search=if("$value_tok$"="*" ,"NULL","$value_tok$") | table search]

 

 

 

Again TY so much!!! I would have been reiterating for the rest of the day...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How are you using the hostname token in your queries? You could put a text above/below the textbox to show restriction (e.g. don't enter just wildcard) and then use a subsearch to not show anything if only * is used). e.g.

index=foo sourcetype=bar [| makeresults | eval host=if("$hostname$"="*","YouCantSeeMe","$hostname$") | table host] ...rest of your search
0 Karma

Glasses
Builder

Thank you for the reply.

My query is bit more complicated, here is my quick insert of  your logic (doesn't work)

| inputlookup <host-identity-lookup> 
| eval $value_tok$=if("$value_tok$"="*",null,"$value_tok$")
| search $field_tok$ IN ($value_tok$) 
| fields hostname fooNumber barID .... etc

 

so I have a dropdown input that sets the field name token as " $field_tok$"  and the value for the field is the input of a partial hostname, "$value_tok$",   thus 

... | search $field_tok$ IN ($value_tok$)

will create 

... | search hostname=<user's input of hostname>

 any ideas how to work your logic in here?   TY

0 Karma

Glasses
Builder

was thinking to use null if... but cannot get it to work

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...