I see there are existing answers that handle the logic in a search in SPL. For the question asked, I would prefer to handle the logic on the dashboard. Here's how I'd do it: <fieldset submitButton="false">
<input type="text" token="raw_tok">
<label>Search for something</label>
<change>
<condition match="match(value, "^\\*$")">
<unset token="target"></unset>
</condition>
<condition value="*">
<set token="target">$value$</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel rejects="$target$">
<html>
<p>Please use wildcards only after at least specifying part of a value, such as "something*"</p>
</html>
</panel>
<panel depends="$target$">
<table>
<search>
<query>| makeresults | eval foo = "something_123" | search foo="$target$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row> In addition to keeping the logic on the dashboard, this will only create a search job when the condition is met, otherwise it would wait for the unset token to be filled. Using the dashboard eval logic also allows to e.g. check for a minimum input length or other conditions. More details in docs for eval and match. Obvious reminder that this is not a security feature, only a UI limitation on this dashboard - your users can of course still open a working search and change the SPL to search for "*", or not filter at all.
... View more