Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dropdown - how to keep duplicate values

cornemrc
Explorer
‎06-18-2020 06:34 AM

Hello,

I am using a dropdown with a dynamic option search

 

| inputlookup serverlocations.csv

 

field for Label: locationname
field for Value: servername

 

The serverlocations.csv looks like this in a regular splunk search:

locationnameservername
UK-Londonserver1.example.com
DE-Berlinserver1.example.com
US-NewYorkserver2.example.com

 

The problem is my dropdown shows only the Labels UK-London and US-NewYork. It removes DE-Berlin from the dropdown as if my search would be

 

| inputlookup serverlocations.csv
| dedup servername

 

But actually I want all three locationnames in my dropdown. I am totally fine if I get the same search results on the dashboards then, because both are using the same servername. I do not understand why splunk is handling my search with a dedup, especially because my search result is looking good as long as it is not used by the dropdown.

Do you have a reason for that behaviour or can you tell me how to avoid that?

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-18-2020 12:10 PM

@cornemrc try something like the following. SPL is used to create servername as delimited string after combining servername with locationname. Using <eval> to split the servername set the tokens servername and location name using $label$ on <change> of input value.

 

    <input type="dropdown" token="serverlocation">
      <label>Server/Location</label>
      <fieldForLabel>locationname</fieldForLabel>
      <fieldForValue>servername</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| inputlookup serverlocations.csv
| fields servername locationname
| eval servername=servername."|".locationname</query>
      </search>
      <change>
        <eval token="servername">mvindex(split($value$,"|"),0)</eval>
        <set token="locationname">$label$</set>
      </change>
    </input>

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-18-2020 12:10 PM

@cornemrc try something like the following. SPL is used to create servername as delimited string after combining servername with locationname. Using <eval> to split the servername set the tokens servername and location name using $label$ on <change> of input value.

 

    <input type="dropdown" token="serverlocation">
      <label>Server/Location</label>
      <fieldForLabel>locationname</fieldForLabel>
      <fieldForValue>servername</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| inputlookup serverlocations.csv
| fields servername locationname
| eval servername=servername."|".locationname</query>
      </search>
      <change>
        <eval token="servername">mvindex(split($value$,"|"),0)</eval>
        <set token="locationname">$label$</set>
      </change>
    </input>

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...