https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415690#M119649 <P>Please, take a look at this question about populating dropdown items <A href="https://answers.splunk.com/answers/145911/how-to-populate-dropdown-input-with-ids-from-search.html">https://answers.splunk.com/answers/145911/how-to-populate-dropdown-input-with-ids-from-search.html</A></P> Wed, 06 Mar 2019 19:50:38 GMT jnahuelperez35 2019-03-06T19:50:38Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415688#M119647 <P>Good morning,</P> <P>I've noticed a strange phenomenon with Splunk Enterprise 7.1.4 base searches and I wanted to see whether anyone else has noticed it too. Here is what I've done:</P> <OL> <LI>Created accelerated data model</LI> <LI>Used accelerated data model in a base search</LI> <LI>Within the base search I use the dedup command with sortby parameter</LI> <LI>Created a panel based on the base search and used timechart command</LI> <LI>Made the panel a single with sparkline</LI> </OL> <P>Now for the weird part. The dashboard doubles the results in the panel! If I open the panel in search through the magnifying glass icon it shows the correct, non-doubled value. After further analysis I've found that there are two ways to get the panel working properly:</P> <OL> <LI>Remove the base search and replicate it to each panel, which is inefficient</LI> <LI>Remove the sortby parameter from the base search</LI> </OL> <P>Is this a bug in Splunk? Before anyone asks, no there are no duplicate events in the index.</P> <P>Regards,</P> <P>Andrew</P> Wed, 06 Mar 2019 10:41:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415688#M119647 andrewtrobec 2019-03-06T10:41:24Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415689#M119648 <P>Show some events and show the XML, so that we can try to reproduce it.</P> Wed, 06 Mar 2019 15:59:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415689#M119648 woodcock 2019-03-06T15:59:10Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415690#M119649 <P>Please, take a look at this question about populating dropdown items <A href="https://answers.splunk.com/answers/145911/how-to-populate-dropdown-input-with-ids-from-search.html">https://answers.splunk.com/answers/145911/how-to-populate-dropdown-input-with-ids-from-search.html</A></P> Wed, 06 Mar 2019 19:50:38 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415690#M119649 jnahuelperez35 2019-03-06T19:50:38Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415691#M119650 <P>@woodcock I've tried to isolate and reproduce the issue in the search app but I cannot... I asked the question to see whether there was a known issue. I wonder if it is permission related or whether there is some config file that causes this phenomenon.</P> Thu, 07 Mar 2019 07:10:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415691#M119650 andrewtrobec 2019-03-07T07:10:03Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415692#M119651 <P>open a support case and ask Splunk.</P> Thu, 07 Mar 2019 12:58:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-command-with-sortby-parameter-in-base-searches/m-p/415692#M119651 woodcock 2019-03-07T12:58:17Z