Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Dropdown - how to keep duplicate values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am using a dropdown with a dynamic option search
| inputlookup serverlocations.csv
field for Label: locationname
field for Value: servername
The serverlocations.csv looks like this in a regular splunk search:
| locationname | servername |
| UK-London | server1.example.com |
| DE-Berlin | server1.example.com |
| US-NewYork | server2.example.com |
The problem is my dropdown shows only the Labels UK-London and US-NewYork. It removes DE-Berlin from the dropdown as if my search would be
| inputlookup serverlocations.csv
| dedup servername
But actually I want all three locationnames in my dropdown. I am totally fine if I get the same search results on the dashboards then, because both are using the same servername. I do not understand why splunk is handling my search with a dedup, especially because my search result is looking good as long as it is not used by the dropdown.
Do you have a reason for that behaviour or can you tell me how to avoid that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cornemrc try something like the following. SPL is used to create servername as delimited string after combining servername with locationname. Using <eval> to split the servername set the tokens servername and location name using $label$ on <change> of input value.
<input type="dropdown" token="serverlocation">
<label>Server/Location</label>
<fieldForLabel>locationname</fieldForLabel>
<fieldForValue>servername</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
<search>
<query>| inputlookup serverlocations.csv
| fields servername locationname
| eval servername=servername."|".locationname</query>
</search>
<change>
<eval token="servername">mvindex(split($value$,"|"),0)</eval>
<set token="locationname">$label$</set>
</change>
</input>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cornemrc try something like the following. SPL is used to create servername as delimited string after combining servername with locationname. Using <eval> to split the servername set the tokens servername and location name using $label$ on <change> of input value.
<input type="dropdown" token="serverlocation">
<label>Server/Location</label>
<fieldForLabel>locationname</fieldForLabel>
<fieldForValue>servername</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
<search>
<query>| inputlookup serverlocations.csv
| fields servername locationname
| eval servername=servername."|".locationname</query>
</search>
<change>
<eval token="servername">mvindex(split($value$,"|"),0)</eval>
<set token="locationname">$label$</set>
</change>
</input>
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
