Dashboards & Visualizations

Dropdown producing duplicate entries

corwinz6
Explorer

Hello,

I am trying to make a dashboard with a drop down for selecting between various devices logging to Splunk, a time range picker, and having the charts/tables on that dashboard change depending on what is selected. If I remove "| dedup devname" from my populating search string I get results in the drop down but there are many duplicates. With that syntax in place no results are generated in the drop down (but if I plug the syntax into my Splunk search it returns correctly). The rest of the functionality seemed to work with my dashboard that I have written so far in that once a device is select the table varies based on it and the time picker. Below is my code:

<form>
<label>Fortigate</label>
  <fieldset autoRun="true">    
    <input type="dropdown" token="fortigate" searchWhenChanged="true">
    <label>Select Device</label>
<populatingSearch fieldForValue="devname" fieldForLabel="devname">
    sourcetype=fortinet | fields devname | dedup devname
</populatingSearch>
    </input>
   <input type="time" />
  </fieldset>
<row>
  <table>
  <title>Top Denied</title> 
 <searchTemplate>sourcetype=fortinet devname="$fortigate$" rule=3000 | top dest</searchTemplate> 
   </table>
</row>
</form>

What can I do to remove the duplicates and still keep the same functionality? I know you can use a csv file to load the contents of the dropdown but I'd prefer something more dynamic.

Thanks

Tags (1)
1 Solution

corwinz6
Explorer

It seems the issue was with the amount of data the search was going through to produce results for the dropdown. By using the following summary index search:
sourcetype=fortinet | sistats count by Mgmt_IP, devname
and tying that to:
<![CDATA[index=summary search_name="Summary_devname_populate" | rex "(?i) Mgmt_IP=\"(?P[^\"]+)" | dedup Mgmt_IP | stats count by Mgmt_IP devname]]>

I was able to properly gather a unique list of all device names for the drop down menu.

View solution in original post

corwinz6
Explorer

It seems the issue was with the amount of data the search was going through to produce results for the dropdown. By using the following summary index search:
sourcetype=fortinet | sistats count by Mgmt_IP, devname
and tying that to:
<![CDATA[index=summary search_name="Summary_devname_populate" | rex "(?i) Mgmt_IP=\"(?P[^\"]+)" | dedup Mgmt_IP | stats count by Mgmt_IP devname]]>

I was able to properly gather a unique list of all device names for the drop down menu.

HattrickNZ
Motivator

tks

I was using something like but was getting a duplicates error in the drop down
...table Mgmt_IP devname| dedup Mgmt_IP devname

I was suing something like but was getting a duplicates error
... top SBC_TGN_TGID measObjLdn

but finally your solution helped me.
.. dedup Mgmt_IP | stats count by Mgmt_IP devname

0 Karma

lguinn2
Legend

I don't know that this will work any better, but you could try

sourcetype=fortinet | dedup devname

or

sourcetype=fortinet | dedup devname | table devname

0 Karma

corwinz6
Explorer

Unfortunately those did not work either. I tried doing the dedup command on a second field which is specific to each device while still telling to display devname but again it just never loads while the search itself works fine.

0 Karma

Ayn
Legend

Your code looks OK to me. I just tried it in a very similar XML and it worked as it should, so why it won't work for you is beyond me I'm afraid. However one thing you could try is to use

sourcetype=fortinet | stats count by devname

which will give you kind of an implicit dedup.

0 Karma

corwinz6
Explorer

When I try that the dropdown never finished "loading".

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...