Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

query search don't match on input

jtabilas
Loves-to-Learn Everything
‎07-06-2023 06:42 AM

2.png

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 06:49 AM

Hi @jtabilas.

in the search, you have fields title, instead in fieldForLabel and fieldForValue, you have user.

They must match.

Ciao.

Giuseppe

0 Karma
Reply

jtabilas
Loves-to-Learn Everything
‎07-06-2023 06:53 AM

jtabilas_0-1688651618966.png

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-06-2023 08:18 AM

Hi

This should works 

 

    <input type="multiselect" token="user">
      <label>User</label>
      <choice value="*">ALL</choice>
      <default>*</default>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| table title email
| dedup title
| rename title as user</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>

 

Those fieldFor* select which filed you are using for Label (show on selection list) and real value which are set into token. Those should match to your query's output field names.

As I did rename I must use user for fieldForValue and email (or user) for fieldForLabel, but if I remove it then title is correct value for those.

r. Ismo 

0 Karma
Reply

jtabilas
Loves-to-Learn Everything
‎07-06-2023 06:52 AM

no..., the field it's title on splunk. User field don't exists

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...