Getting Data In

Form input issue - "duplicates values causing conflict..."

a212830
Champion

Hi,

I'm creating a form that uses a rest call to populate a multi-select, but it's failing with "duplicate values causing conflict", but I'm not sure why. The search works when it's run outside of the editor. Any suggestions?

<form>
  <label>License Usage</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="index_token" searchWhenChanged="false">
      <search>
        <query>| rest /services/data/indexes  |fields title</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>index</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel ref="becoming_a_splunk_ninja" app="welcome"></panel>
  </row>
</form>

sloshburch
Splunk Employee
Splunk Employee

Hang on. Are you trying to create a drop down of the indexes available? If so, how about | eventcount index=* OR index=_* summarize=false | stats count by index. The eventcount command should show only the indexes the user can search and will span all distributed indexers whereas the REST endpoint could be limited to the host you scope it to and would show everything regardless of if you can search it. Also, I'm not 100% if nonadmins can call all REST endpoints (anyone know for sure about these things?).

So putting it all together:

<form>
  <label>License Usage</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="index_token" searchWhenChanged="true">
      <label></label>
      <search>
        <query>| eventcount index=* OR index=_* summarize=false | stats count by index</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>index</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel ref="becoming_a_splunk_ninja" app="welcome"></panel>
  </row>
</form>

a212830
Champion

Thanks Burch. I'm looking to create a drop-down of all indexers, regardless of whether they can search them. The form will query a summary index, and give them license usage by index and sourcetype, and san storage by index. I've decided to create a lookup from the tstats command, and use that as input for the form.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

"a drop-down of all indexers" <- based on the rest of what you mentioned, I'm assuming you meant "indexes", not "indexers", but lemme know if you did mean "indexers".

Doesn't @jdonn_splunk's Chargeback app already have such a search you can copy from?

0 Karma

woodcock
Esteemed Legend

I am seeing the same problem and do not understand it. In any case, this is a fine alternate search that does work:

<query>|tstats count where index=* OR index=_* BY index</query>
0 Karma

niketn
Legend

Try a dedup on the title in multiselect.

<query>| rest /services/data/indexes  |dedup title| table title</query>

From your query does not seem like static value is conflicting with duplicate in search result. However, ensure that you do not have static value defined for multi-select which might also be returned in search result.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

a212830
Champion

Thanks. Tried that previously, didn't work. Tried it again anyway, but same issue. To be clear, that is the query - nothing before the " | rest..."

0 Karma

a212830
Champion

For testing purposes, I added a panel that runs that search, and it came back with no events. However, if I run the search manually outside of the form, it works. Do forms not support running REST queries, or is there a specific way to do it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...