I have a simple dashboard that has two input fields and a submit button and I would like to validate the fields.
If the user does not enter a value for the testName field, I would like to perform the search with a wildcard, i.e. *
. If they do enter a value, I will use that input in my search.
I have tried various versions of the below code, but haven’t had any luck. I’m sure this type of form validation is simple, but since I’m relatively new to Splunk I can’t get it quite right.
<form>
<label>Sent to External System</label>
<fieldset submitButton="true">
<input type="text" token="id">
<label>ID</label>
</input>
<input type="text" token="testName">
<label>Test Name</label>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>sourcetype=myLog* CFE_LogComponent=Sent payload NOT "sched" "*$id$*" eval testName = if(isNull(testName) OR testName="", "*", testName)</query>
<earliest>@mon</earliest>
<latest>now</latest>
</search>
</event>
</panel>
</row>
</form>
As far as I know, you can't do what you want without Javascript.
Splunk doesn't give you the ability to validate/manipulate the intermediate token values in XML, i.e., the token value for $testName$ is going to be undefined unless it has something in the input box.
In Javascript, there a variety of ways to go about validating inputs and/or using things like TokenForwarders where you can set a default value when the input form is empty or has invalid values, but you must use Javascript.
You may be able to get the desired result by setting a default for your textinput. Like this
<fieldset submitButton="true">
<input type="text" token="id">
<label>ID</label>
<default>*</default>
</input>
<input type="text" token="testName">
<label>Test Name</label>
<default>*</default>
</input>
</fieldset>
And change your query to
<query>sourcetype=myLog* CFE_LogComponent=Sent payload NOT "sched" "*$id$*" testName="$testName$"</query>
I considered that but I really didn't want my users to see "*" in the field because I was concerned it might confuse them. I could set the default value to " ", but even that feels a little hacky to me. This type of validation is common with forms and if for nothing more than academic reasons I'd like to know what I'm missing.
In your original query, you cannot add eval in the base search. So you could try like this
sourcetype=myLog* CFE_LogComponent=Sent payload NOT "sched" "*$id$*" | eval testName = if(isNull(testName) OR testName="", "*", testName) | search testName