I'm getting "Duplicate values causing conflict" error everytime, while I don't see any duplicate in the search result. I'm very new to Splunk. Product Id is the field that I need to count on
Please find my XML below,
Sales Dashbord
<input type="dropdown" token="product_id">
<label>product_id</label>
<fieldForLabel>productName</fieldForLabel>
<fieldForValue>productValue</fieldForValue>
<search>
<query>index = main sourcetype=access_combined_wcookie status = 200 file = success.do | fields productId | dedup productId | table productId</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="*">All</choice>
<prefix>''</prefix>
<suffix>''</suffix>
</input>
<panel>
<title>Product Sales</title>
<chart>
<search>
<query>index = main sourcetype=access_combined_wcookie status = 200 file = success.do | stats count by productId</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
Hey,
try this for the query:
index=main sourcetype=access_combined_wcookie status=200 file=success.do | fields productId | dedup productId
You should make sure that you don't have spaces around your =
. Also the | table
part is unneccessary.
Also, you use these lines:
<fieldForLabel>productName</fieldForLabel>
<fieldForValue>productValue</fieldForValue>
but the | fields productId
removes all fields but productID
, so those fields are not available at all.
So either - use productId
with those lines, or add those two fields to the | fields
command, like this:
index=main sourcetype=access_combined_wcookie status=200 file=success.do | fields productId productName productValue | dedup productId
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
@xpac, I wanted to add to your second point that the query in the question returns only productId
field through final pipe | productId
. The <fieldForLabel>
and <fieldForValue>
options for dropdown must contain the field names returned in the Search Query if Dynamic Options are used for building choices for the dropdown. If fields names do not match
i.e. (1) either they are not present or (2) they have a different casing/name then it is expected behavior that Dropdown will show Duplicate Values Causing Conflict
error.
Secondly, just FYI, the | fields
command will retain the fields mentioned and also all internal fields with underscore ( _
) i.e. _time, _raw
etc. So either they need to be explicitly removed with | fields - _*
or
| table
command can be used for specific fields.
Ideally, as a fix following query should be used:
index="main" sourcetype="access_combined_wcookie" status="200" file="success.do" productName="*" productValue="*"
| dedup productValue
| table productName productValue
The base search filters and productName="*"
and productValue="*"
ensure events with both fields present are returned. Since productValue
field is the fieldForValue
, it should be unique. Hence dedup is performed on productValue. If it is not, search query should have eval to create a unique value field i.e. something like | eval productValue = productId."-".productValue
.
However, having said all these, @Anirban92Chakraborty you should check query with productName and productValue in independent search. Only if they are returning these unique records for productName and productValue you should use them.
Based on the query provided are you using working with Buttercup Games Search Tutorial data from Splunk? I don't think productId field is available for source="success.do"
. Also productName
is not present in the raw events. Splunk Documentation provides it as prices.csv
lookup file to enrich product Ids with their corresponding names and prices. If it is so make sure you have the lookup file uploaded and lookup definition created. Even with the lookup file you should use productId
as <fieldForValue>
and productName
as <fieldForName>
as the field productValue
does not exist (unless you have created one).
Please try out and provide further details if provided details do not work.