Splunk Search

Prevent Wildcard In User Input

JohannLiebert92
Path Finder

Hi everyone,

I've developed a dashboard with text input for my user. However, I do not want my users to use wildcard in the input, is there any way to disable/prevent user from using wildcard (*)?

Thanks!!

0 Karma
1 Solution

BlueSocket
Communicator

Hi,

Could you provide a drop down which is populated with all of the possible search items? Or are you looking for validation of input fields before they are submitted?

View solution in original post

0 Karma

niketn
Legend

Option 1: Using eval with case() to set the token if asterix is not entered in the text box

<form>
  <label>Text Box validation</label>
  <fieldset submitButton="false">
    <input type="text" token="selText">
      <label>Enter Log Level (like INFO, WARN, ERROR, FATAL etc)</label>
      <change>
        <eval token="tokLogLevel">case(len($value$)&gt;0 AND NOT like($value$,"%*%"),$value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html rejects="$tokLogLevel$">
        <div style="color:red;text-align:center;font-weight:bold;font-size:150%">
          Log Level does not accept asterix (*)!!!
        </div>
      </html>
      <table depends="$tokLogLevel$">
        <title>Log Level Volume</title>
        <search>
          <query>index="_internal" sourcetype=splunkd log_level="$tokLogLevel$"
          | stats count by log_level
          | appendpipe [| makeresults
          | eval log_level="$tokLogLevel$",count=0
          | fields - _time]
          | dedup log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Following is the run anywhere dashboard based on one of my previous answers: https://answers.splunk.com/answers/513440/how-to-validate-text-field-token-without-using-jav.html (I had assumed in my answer that SimpleXML will use JavaScript regular expression and match would work asterix but it did not 😞 )

Second Option: Using Dummy Search with eval match() to set the token if asterix is not entered in the text box:

<form>
  <label>Text Box validation Option 2</label>
  <fieldset submitButton="false">
    <input type="text" token="selText" searchWhenChanged="true">
      <label>Enter Log Level (like INFO, WARN, ERROR, FATAL etc)</label>
    </input>
  </fieldset>
  <search>
    <query>|  makeresults
|  eval testData="$selText$"
|  eval tokLogLevel=case(len(testData)&gt;0 AND match(testData,"^[^\*]+$"),testData)
|  table testData tokLogLevel
    </query>
    <done>
      <condition match="isnull($result.tokLogLevel$) OR isnull($form.selText$)">
        <unset token="tokLogLevel"></unset>
      </condition>
      <condition>
        <set token="tokLogLevel">$result.tokLogLevel$</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <html rejects="$tokLogLevel$">
        <div style="color:red;text-align:center;font-weight:bold;font-size:150%">
          Log Level does not accept asterix (*)!!!
        </div>
      </html>
      <table depends="$tokLogLevel$">
        <title>Log Level Volume</title>
        <search>
          <query>index="_internal" sourcetype=splunkd log_level="$tokLogLevel$"
          | stats count by log_level
          | appendpipe [| makeresults
          | eval log_level="$tokLogLevel$",count=0
          | fields - _time]
          | dedup log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

christopher_mcc
New Member

Preventing wildcards in dashboard text form fields is relatively easy. Example preventing * asterisks from being entered. The result is a bold red error message and the search is not executed.

<input type="text" token="user_name">
  <label>Username</label>
      <change><!--event trigger on submit to check for * in the user_name field-->
      <condition match="not like($value$,&quot;*&quot;)">
        <!--if input contains *, eval sets a token which stops the search and displays the html reject-->
       <set token="logLevelTok">$value$</set>
    </condition>
    <condition><!--no * is in user_name field-->
       <unset token="logLevelTok"></unset>
    </condition>
   </change>
</input>
  <html rejects="$logLevelTok$">
     <div>
       <p style="color:red;font-weight:bold;font-size:150%;text-align:left;">
       Asterisks &quot;*&quot; are not permitted.
       </p>
     </div>
  </html>

,If you need an input text form field, you can prevent wildcards by tokens and conditions. Example:

<input type="text" token="user_name">
  <label>Username</label>
      <change><!--event triggered by submit, checks user_name field for astericks-->
      <condition match="not like($value$,&quot;*&quot;)">
        <!--if input contains *, eval sets a token which stops the search and displays the html reject-->
       <set token="logLevelTok">$value$</set>
    </condition>
    <condition><!--no * is in user_name field-->
       <unset token="logLevelTok"></unset>
    </condition>
   </change>
</input>
  <html rejects="$logLevelTok$">
     <div>
       <p style="color:red;font-weight:bold;font-size:150%;text-align:left;">
       Asterisks &quot;*&quot; are not permitted.
       </p>
     </div>
  </html>

The output is bold letters warning the user about wild cards just below the form field.

0 Karma

BlueSocket
Communicator

Hi,

Could you provide a drop down which is populated with all of the possible search items? Or are you looking for validation of input fields before they are submitted?

0 Karma

JohannLiebert92
Path Finder

Hi BlueSocket,

Thanks for the quick response. I'm actually looking for a relatively straightforward way (if any) to prevent user from using wildcard in Text Input. But I think you just enlightened me to use drop down instead for that purpose. (I guess input validation with js would work for Text Input too). Thanks!!

0 Karma

BlueSocket
Communicator

It's easier to do the drop down, seriously

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...