How to exclude a string in dashboard search?

wangkevin1029 · ‎12-23-2021

Hi, Splunkers,

when I run a splunk search, I use NOT string to exclude result with this string.

if I have a dashboard, how to add text or dropdown input to select this string to exclude it from dashboard return?

BTW, this string might not be a value of any field, just a random string.

Kevin

wangkevin1029 · ‎12-23-2021

Yanliu,

thanks for your quick response.

but what I want is not add a basic input to search it.

 <input type="text" token="free_text_tok" searchWhenChanged="true">
        <label>Arbitrary string</label>
        <default></default>
      </input>

which results in using $free_text_tok$ to search in my query.

but what I need is NOT $free_text_tok$ in my search.

Kevin

yuanliu · ‎12-24-2021

but what I need is NOT $free_text_tok$ in my search.

Sorry for the bad slip. The search should be

base search _raw!="*$free_text_tok$*"

My first answer missed two points. In addition to "NOT", you also need wildcards unless the arbitrary string is expected to be surrounded by blanks like a word.

wangkevin1029 · ‎12-24-2021

I may or may not have this text or dropdown input to exclude this string.

that means If I don't have this Exclude string by this text or dropdown input,

then search _raw!="" ??? I tried sth similar, but not working.

yuanliu · ‎12-24-2021

Update: @rrovers' solution is correct. The below workarounds are workable but not as good.

I may or may not have this text or dropdown input to exclude this string.

One trick that I have used is to set an impossible default, e.g.,

    <input type="text" token="free_text_tok" searchWhenChanged="false">
      <label>Arbitrary string</label>
      <default>Super‐cali‐fragil‐istic‐expi‐ali‐docious</default>
    </input>

This way, you can still plug the exclusion in the main search as illustrated above.

Another method is to sacrifice some performance and perform exclusion in a filter, like

| where NOT if(len("$free_text_tok$")==0, false(), searchmatch("*$free_text_tok$*"))

Use this with null default so your default screen won't look silly

    <input type="text" token="free_text_tok" searchWhenChanged="false">
      <label>Arbitrary string</label>
      <default></default>
    </input>

yuanliu · ‎12-23-2021

(Just FYI this is best asked in Dashboards & Visualizations.) I do this:

In Simple XML

      <input type="text" token="free_text_tok" searchWhenChanged="true">
        <label>Arbitrary string</label>
        <default></default>
      </input>

Alternatively, go to the UI editor, "Add Input" and select Text. Give a token name such as "free_text_tok".

In your penel search, use $free_text_tok$ in search string, e.g.,

original search $free_text_tok$

That's it.

There are several things you want to consider, like security. Do you want your user to inject truly arbitrary string that could be interpreted as something else like a filter, a macro, etc. I usually do a quotation mark,

original search "$free_text_tok$"

But even this is not safe against SQL injection-style attacks/goof-ups.

wangkevin1029 · ‎12-23-2021

Yanliu,

thanks for your quick response.

but what I want is not add a basic input to search it.

 <input type="text" token="free_text_tok" searchWhenChanged="true">
        <label>Arbitrary string</label>
        <default></default>
      </input>

which results in using $free_text_tok$ to search in my query.

but what I need is NOT $free_text_tok$ in my search.

Kevin

richgalloway · ‎12-24-2021

You should be able to modify the contents of the token to include "NOT".

<input type="text" token="free_text_tok" searchWhenChanged="true">
  <label>Arbitrary string</label>
  <default></default>
  <change>
    <condition>
      <set token="not_free_text_tok">NOT $free_text_tok|s$</set>
    </condition>
  </change>
</input>

And use $not_free_text_tok$ in the query.

---
If this reply helps you, Karma would be appreciated.

wangkevin1029 · ‎12-24-2021

<change>
    <condition>
      <set token=not_free_text_tok>NOT $free_text_tok|s$</set>
    <condition>
  </set>

should <condition> </set> be </condition> </change>?

besides, there is unquoted attribute value for line <set token=not_free_text_tok>........

Kevin

richgalloway · ‎12-24-2021

Thanks for proofreading. I've corrected my reply.

---
If this reply helps you, Karma would be appreciated.

rrovers · ‎12-23-2021

Why don't you use "NOT" in your search?

wangkevin1029 · ‎12-24-2021

rrovers，

I need to input this string in an input box or select this string from dropdown list in dashboard.

Kevin

wangkevin1029 · ‎12-24-2021

Besides, I can't use NOT $tokenname$ in xml, cause I may or may not use this EXCLUDE string.

Kevin

yuanliu · ‎12-24-2021

In fact, @rrovers's suggestion is correct. Use this in search

original search NOT _raw="*$free_text_tok$*"

This works with blank default, and won't sacrifice performance.

wangkevin1029 · ‎12-25-2021

doesn't work.

if I put NOT _raw="*$free_text_tok$*" in my search, then it changes to NOT _raw="*"*" "tokenvalue"*"

if I put NOT _raw="$free_text_tok$" in my search, then it changes to NOT _raw=""*" "tokenvalue"" in real search.

Kevin

yuanliu · ‎12-25-2021

You are correct in that NOT _raw="*$free_text_tok$*" will still exclude everything when token value is null. Try the other workarounds illustrated in https://community.splunk.com/t5/Splunk-Search/How-to-exclude-a-string-in-dashboard-search/m-p/579251...

I made a sample dashboard using the "| where" method.

<form version="1.1">
  <label>input test 2</label>
  <fieldset submitButton="false">
    <input type="text" token="free_text_tok" searchWhenChanged="true">
      <label>arbitrary</label>
      <default></default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal
| where NOT if(len("$free_text_tok$")==0, false(), searchmatch("*$free_text_tok$*"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

Test searches seem to satisfy your requirements.

if I put NOT _raw="*$free_text_tok$*" in my search, then it changes to NOT _raw="*"*" "tokenvalue"*"

This part seems strange. I made a test dashboard specifically for this. As said, it returns nothing when input string is null. But when there is value, it doesn't split into the result you get.

<form version="1.1">
  <label>input test</label>
  <fieldset submitButton="false">
    <input type="text" token="free_text_tok" searchWhenChanged="true">
      <label>arbitrary</label>
      <default></default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal NOT _raw="*$free_text_tok$*"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

When input string is "admin", the search expands into

index=_internal NOT _raw="*admin*"

which is desired. (However, when input is "", search becomes index=_internal NOT _raw="**" which is undesirable.

How to exclude a string in dashboard search?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to exclude a string in dashboard search?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0