Solved: Re: How to allow wildcard inputs in a dashboard in...

Glasses · ‎06-03-2022

Hi,

I am having no luck with a dashboard input restriction.

I have a dashboard textbox input that queries a lookup. For instance, the input could be "hostname". I want the user to be able to put in the exact value or partial with a wildcard "*". So if hostname = 12345ABCD, they could enter the exact or 12345A* and return all those that match. BUT I don't want them to just enter hostname = "*" and pull everything back.

Any ideas how to sanitize the inputs so a user cannot just use "*" star?

Thank you

somesoni2 · ‎06-03-2022

Yes I can.

Try this

| inputlookup <host-identity-lookup> 
| search $field_tok$=[|makeresults | eval search=if("$value_tok$"="*" ,"","$value_tok$") | table search]
| fields hostname fooNumber barID .... etc

View solution in original post

jeffland · ‎06-07-2022

I see there are existing answers that handle the logic in a search in SPL. For the question asked, I would prefer to handle the logic on the dashboard. Here's how I'd do it:

<fieldset submitButton="false">
    <input type="text" token="raw_tok">
      <label>Search for something</label>
      <change>
        <condition match="match(value, &quot;^\\*$&quot;)">
          <unset token="target"></unset>
        </condition>
        <condition value="*">
          <set token="target">$value$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel rejects="$target$">
      <html>
        <p>Please use wildcards only after at least specifying part of a value, such as "something*"</p>
      </html>
    </panel>
    <panel depends="$target$">
      <table>
        <search>
          <query>| makeresults | eval foo = "something_123" | search foo="$target$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

In addition to keeping the logic on the dashboard, this will only create a search job when the condition is met, otherwise it would wait for the unset token to be filled. Using the dashboard eval logic also allows to e.g. check for a minimum input length or other conditions. More details in docs for eval and match.

Obvious reminder that this is not a security feature, only a UI limitation on this dashboard - your users can of course still open a working search and change the SPL to search for "*", or not filter at all.

somesoni2 · ‎06-03-2022

How about this? (you can't modify a token from a search)

| inputlookup <host-identity-lookup> 
| search $field_tok$ IN ([|makeresults | eval search= if("$value_tok$"="*" ,"","$value_tok$")| table search]) 
| fields hostname fooNumber barID .... etc

Glasses · ‎06-03-2022

yes "cannot modify token from a search" was part of the problem, will try your logic and get back to you. TY!!

Glasses · ‎06-03-2022

keep getting error in eval command, expression is malformed. Expected ).

somesoni2 · ‎06-03-2022

I created a sample dashboard with similar logic and it works there. Please compare the logic/syntax with your query and see if there is any difference.

<form theme="dark">
  <label>Sample Dashboard</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="hostname">
      <label>Search Filter:</label>
      <default></default>
     
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Token=$hostname$</title>
      <table>
        <search>
          <query>index=_internal | search host IN ([|makeresults | eval search= if("$hostname$"="*" ,"","$hostname$")| table search])   | timechart count
| sort -_time</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Glasses · ‎06-03-2022

yeah had a syntax error that cleared after I relaunched the dashboard (weird).

The logic works to prevent entering only "*" but for some reason now partial hostname values <foo>* does not work.

Can you wildcard in your dashboard?

somesoni2 · ‎06-03-2022

Yes I can.

Try this

| inputlookup <host-identity-lookup> 
| search $field_tok$=[|makeresults | eval search=if("$value_tok$"="*" ,"","$value_tok$") | table search]
| fields hostname fooNumber barID .... etc

Glasses · ‎06-03-2022

Thank you so much!!!

OMG, I must have had a whitespace or something copied in wrong to the dash bc I kept getting errors.

After copy/paste your code, it worked rather than editing mine (weird).

Just fyi , in my dashboard when the "'' (double quote as none) is used I get an error>> Comparator "=" is missing a term, that is after a single * is entered as the user input.

so I swapped with "NULL" and you don't see the error...

[|makeresults | eval search=if("$value_tok$"="*" ,"","$value_tok$") | table search]


[|makeresults | eval search=if("$value_tok$"="*" ,"NULL","$value_tok$") | table search]

Again TY so much!!! I would have been reiterating for the rest of the day...

somesoni2 · ‎06-03-2022

How are you using the hostname token in your queries? You could put a text above/below the textbox to show restriction (e.g. don't enter just wildcard) and then use a subsearch to not show anything if only * is used). e.g.

index=foo sourcetype=bar [| makeresults | eval host=if("$hostname$"="*","YouCantSeeMe","$hostname$") | table host] ...rest of your search

Glasses · ‎06-03-2022

Thank you for the reply.

My query is bit more complicated, here is my quick insert of your logic (doesn't work)

| inputlookup <host-identity-lookup> 
| eval $value_tok$=if("$value_tok$"="*",null,"$value_tok$")
| search $field_tok$ IN ($value_tok$) 
| fields hostname fooNumber barID .... etc

so I have a dropdown input that sets the field name token as " $field_tok$" and the value for the field is the input of a partial hostname, "$value_tok$", thus

... | search $field_tok$ IN ($value_tok$)

will create

... | search hostname=<user's input of hostname>

any ideas how to work your logic in here? TY

Glasses · ‎06-03-2022

was thinking to use null if... but cannot get it to work

How to allow wildcard inputs in a dashboard input textbox, but not allow just "*" (star) to be entered?

Dashboard Studio

single value

token

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies