Splunk Search

duplicate values causing conflict

sarnagar
Contributor

Hi,

Im getting this error although I do not have any duplicate values.
Below is the screenshot and my xml:

<form>
<label>SplunkServers_Analaysis</label>
<fieldset submitButton="true">



| inputlookup HostLists.csv | fields "Group" | dedup "Group"| sort "Group"
0

Group Name
Group Name



</fieldset>
</form>

My search provides the output
alt text

N my lookuptable has unique values:
Group SearchHeadsList IndexersList CollectionTiersList
Search Heads 1 11 22
Indexers 2 12 23
Collection Tiers 3 13 24

What is the reason for this error?

1 Solution

NOUMSSI
Builder

Hi,
I think your problem is in your input settings. try to change values of "fields for value" and "field for label". If in you 've rename field in your populating search, make sure that values of "fields for value" and "field for label" have the new name

View solution in original post

koshyk
Super Champion

Putting an example to make it simpler

  • good practice to put "_tok" in the token name, so it is not confused with field/label names
  • also try to query wrapped in CDATA just to ensure double quotes, arrow symbols won't cause problems
  • uses "search" rather than the deprecated "populatingSearch" notation
  • and is a working dashboard (to try out)

sample code

<form>
  <label>REMOVE THIS DASHBOARD ANYTIME</label>
  <description>Some Description</description>
  <fieldset autoRun="false">
    <input type="dropdown" token="sourcetype_tok" searchWhenChanged="false">
      <label>label_name</label>
      <choice value="*">All</choice>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
      <query>
        <![CDATA[index=_internal | stats count by sourcetype
        ]]>
      </query>
      <earliest>$timeSpan.earliest$</earliest>
      <latest>$timeSpan.latest$</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
    </input>
    <input type="time" token="timeSpan">
      <label>Time Picker</label>
      <default>
        <earliest>-1h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Event Details</title>
        <search>
          <query>
          <![CDATA[index=_internal sourcetype=$sourcetype_tok$
            | head 1000
            | table _time,index,sourcetype,source,_raw
            ]]>
          </query>
        <earliest>$timeSpan.earliest$</earliest>
        <latest>$timeSpan.latest$</latest>
        </search>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

NOUMSSI
Builder

Hi,
I think your problem is in your input settings. try to change values of "fields for value" and "field for label". If in you 've rename field in your populating search, make sure that values of "fields for value" and "field for label" have the new name

sarnagar
Contributor

Thankyou 🙂
That worked after the necessary changes.

0 Karma

NOUMSSI
Builder

Ok, Please don't forget to vote me so that it can be helpfull for others who can have the same problem

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...