Re: query search don't match on input

jtabilas · ‎07-06-2023

gcusello · ‎07-06-2023

Hi @jtabilas.

in the search, you have fields title, instead in fieldForLabel and fieldForValue, you have user.

They must match.

Ciao.

Giuseppe

jtabilas · ‎07-06-2023

isoutamo · ‎07-06-2023

Hi

This should works

    <input type="multiselect" token="user">
      <label>User</label>
      <choice value="*">ALL</choice>
      <default>*</default>
      <fieldForLabel>email</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>| rest /services/authentication/users splunk_server=local
| table title email
| dedup title
| rename title as user</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>

Those fieldFor* select which filed you are using for Label (show on selection list) and real value which are set into token. Those should match to your query's output field names.

As I did rename I must use user for fieldForValue and email (or user) for fieldForLabel, but if I remove it then title is correct value for those.

r. Ismo

jtabilas · ‎07-06-2023

no..., the field it's title on splunk. User field don't exists

query search don't match on input

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation