Re: query search don't match on input

jtabilas · ‎07-06-2023

gcusello · ‎07-06-2023

Hi @jtabilas.

in the search, you have fields title, instead in fieldForLabel and fieldForValue, you have user.

They must match.

Ciao.

Giuseppe

jtabilas · ‎07-06-2023

isoutamo · ‎07-06-2023

Hi

This should works

    <input type="multiselect" token="user">
      <label>User</label>
      <choice value="*">ALL</choice>
      <default>*</default>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| table title email
| dedup title
| rename title as user</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>

Those fieldFor* select which filed you are using for Label (show on selection list) and real value which are set into token. Those should match to your query's output field names.

As I did rename I must use user for fieldForValue and email (or user) for fieldForLabel, but if I remove it then title is correct value for those.

r. Ismo

jtabilas · ‎07-06-2023

no..., the field it's title on splunk. User field don't exists

query search don't match on input

fields

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)