---

but what I need is NOT  $free_text_tok$ in my search.

Sorry for the bad slip.  The search should be

base search _raw!="*$free_text_tok$*"

My first answer missed two points.  In addition to "NOT", you also need wildcards unless the arbitrary string is expected to be surrounded by blanks like a word. 

I may or may not have this text or dropdown input to exclude this string.

that means If I don't have this Exclude string by this text or dropdown input, 

then  search _raw!=""  ???  I tried sth similar, but not  working.

Update: @rrovers' solution is correct.  The below workarounds are workable but not as good.

I may or may not have this text or dropdown input to exclude this string.

One trick that I have used is to set an impossible default, e.g.,

    <input type="text" token="free_text_tok" searchWhenChanged="false">
      <label>Arbitrary string</label>
      <default>Super‐cali‐fragil‐istic‐expi‐ali‐docious</default>
    </input>

This way, you can still plug the exclusion in the main search as illustrated above.

Another method is to sacrifice some performance and perform exclusion in a filter, like

| where NOT if(len("$free_text_tok$")==0, false(), searchmatch("*$free_text_tok$*"))

Use this with null default so your default  screen won't look silly

    <input type="text" token="free_text_tok" searchWhenChanged="false">
      <label>Arbitrary string</label>
      <default></default>
    </input>

Yanliu,  

thanks for your quick response.

but what I want is not add a basic input to search it.

 <input type="text" token="free_text_tok" searchWhenChanged="true">
        <label>Arbitrary string</label>
        <default></default>
      </input>

which results in using $free_text_tok$ to search in my query.

but what I need is NOT  $free_text_tok$ in my search.

Kevin

You should be able to modify the contents of the token to include "NOT".

<input type="text" token="free_text_tok" searchWhenChanged="true">
  <label>Arbitrary string</label>
  <default></default>
  <change>
    <condition>
      <set token="not_free_text_tok">NOT $free_text_tok|s$</set>
    </condition>
  </change>
</input>

And use $not_free_text_tok$ in the query.

<change>
    <condition>
      <set token=not_free_text_tok>NOT $free_text_tok|s$</set>
    <condition>
  </set>

should <condition> </set> be  </condition> </change>?

besides, there is unquoted attribute value for line   <set token=not_free_text_tok>........

Kevin

Thanks for proofreading.  I've corrected my reply.

Why don't you use "NOT" in your search?

rrovers， 

I need to input this string in an input box or select this  string from dropdown list in dashboard.

Kevin

Besides, I can't use  NOT  $tokenname$ in xml,  cause I may or may not use this EXCLUDE string.

Kevin

In fact, @rrovers's suggestion is correct.  Use this in search

original search NOT _raw="*$free_text_tok$*"

This works with blank default, and won't sacrifice performance. 

doesn't work.

if I put NOT _raw="*$free_text_tok$*"  in my search, then  it  changes to NOT _raw="*"*" "tokenvalue"*" 

if I put NOT _raw="$free_text_tok$"  in my search,  then it  changes to  NOT _raw=""*" "tokenvalue""  in real search.

Kevin

You are correct in that NOT _raw="*$free_text_tok$*" will still exclude everything when token value is null.  Try the other workarounds illustrated in https://community.splunk.com/t5/Splunk-Search/How-to-exclude-a-string-in-dashboard-search/m-p/579251...

I made a sample dashboard using the "| where" method.

<form version="1.1">
  <label>input test 2</label>
  <fieldset submitButton="false">
    <input type="text" token="free_text_tok" searchWhenChanged="true">
      <label>arbitrary</label>
      <default></default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal
| where NOT if(len("$free_text_tok$")==0, false(), searchmatch("*$free_text_tok$*"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

Test searches seem to satisfy your requirements.

---

if I put NOT _raw="*$free_text_tok$*"  in my search, then  it  changes to NOT _raw="*"*" "tokenvalue"*"  

---

This part seems strange.  I made a test dashboard specifically for this.  As said, it returns nothing when input string is null.  But when there is value, it doesn't split into the result you get.

<form version="1.1">
  <label>input test</label>
  <fieldset submitButton="false">
    <input type="text" token="free_text_tok" searchWhenChanged="true">
      <label>arbitrary</label>
      <default></default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal NOT _raw="*$free_text_tok$*"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

When input string is "admin", the search expands into

index=_internal NOT _raw="*admin*"

which is desired. (However, when input is "", search becomes index=_internal NOT _raw="**" which is undesirable.