- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Dropdown producing duplicate entries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to make a dashboard with a drop down for selecting between various devices logging to Splunk, a time range picker, and having the charts/tables on that dashboard change depending on what is selected. If I remove "| dedup devname" from my populating search string I get results in the drop down but there are many duplicates. With that syntax in place no results are generated in the drop down (but if I plug the syntax into my Splunk search it returns correctly). The rest of the functionality seemed to work with my dashboard that I have written so far in that once a device is select the table varies based on it and the time picker. Below is my code:
<form>
<label>Fortigate</label>
<fieldset autoRun="true">
<input type="dropdown" token="fortigate" searchWhenChanged="true">
<label>Select Device</label>
<populatingSearch fieldForValue="devname" fieldForLabel="devname">
sourcetype=fortinet | fields devname | dedup devname
</populatingSearch>
</input>
<input type="time" />
</fieldset>
<row>
<table>
<title>Top Denied</title>
<searchTemplate>sourcetype=fortinet devname="$fortigate$" rule=3000 | top dest</searchTemplate>
</table>
</row>
</form>
What can I do to remove the duplicates and still keep the same functionality? I know you can use a csv file to load the contents of the dropdown but I'd prefer something more dynamic.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems the issue was with the amount of data the search was going through to produce results for the dropdown. By using the following summary index search:
sourcetype=fortinet | sistats count by Mgmt_IP, devname
and tying that to:
<
I don't know that this will work any better, but you could try
sourcetype=fortinet | dedup devname
or
sourcetype=fortinet | dedup devname | table devname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately those did not work either. I tried doing the dedup command on a second field which is specific to each device while still telling to display devname but again it just never loads while the search itself works fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your code looks OK to me. I just tried it in a very similar XML and it worked as it should, so why it won't work for you is beyond me I'm afraid. However one thing you could try is to use
sourcetype=fortinet | stats count by devname
which will give you kind of an implicit dedup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try that the dropdown never finished "loading".
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
Explore the Latest Educational Offerings from Splunk (November Releases)
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
