I am trying to create a text input in splunk dashboard that should ignore the ticket numbers entered by the user in the text box while running the query and If user doesn't input anything in that text box then by default it should search all tickets.

I tried a few ways to achieve this through eval, makeresults, etc. but no luck in getting it to work.

Any ideas on how can i achieve this functionality ?

<form version="1.1" theme="light">
<label>TEST</label>
<search id="tickets">
<query> index=tickets earliest=-1d latest=now
| eval search_ticket=if(len("$ticket_number$")=0, "ticket_number=*", "NOT ticket_number IN ($ticket_number$)")
</query>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="text" token="ticket_number">
<label>ticket_number</label>
</input>
<row>
<panel>
<table>
<title>Results</title>
<search base="tickets">
<query>| search $search_ticket$|table ticket_number</query>
</search>
</table>
</panel>
</row>
</form>