Getting Data In

While creating dropdown getting "Duplicate values causing conflict" error

Anirban92Chakra
New Member

I'm getting "Duplicate values causing conflict" error everytime, while I don't see any duplicate in the search result. I'm very new to Splunk. Product Id is the field that I need to count on

Please find my XML below,

Sales Dashbord

<input type="dropdown" token="product_id">
  <label>product_id</label>
  <fieldForLabel>productName</fieldForLabel>
  <fieldForValue>productValue</fieldForValue>
  <search>
    <query>index = main sourcetype=access_combined_wcookie status = 200 file = success.do | fields productId | dedup productId | table productId</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <choice value="*">All</choice>
  <prefix>''</prefix>
  <suffix>''</suffix>
</input>


<panel>
  <title>Product Sales</title>
  <chart>
    <search>
      <query>index = main sourcetype=access_combined_wcookie status = 200 file = success.do | stats count by productId</query>
      <earliest>0</earliest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.abbreviation">none</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.abbreviation">none</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.abbreviation">none</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.mode">standard</option>
    <option name="charting.legend.placement">right</option>
    <option name="charting.lineWidth">2</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
  </chart>
</panel>
Tags (1)
0 Karma

xpac
SplunkTrust
SplunkTrust

Hey,

try this for the query:

index=main sourcetype=access_combined_wcookie status=200 file=success.do | fields productId | dedup productId

You should make sure that you don't have spaces around your =. Also the | table part is unneccessary.

Also, you use these lines:

   <fieldForLabel>productName</fieldForLabel>
   <fieldForValue>productValue</fieldForValue>

but the | fields productId removes all fields but productID, so those fields are not available at all.

So either - use productId with those lines, or add those two fields to the | fields command, like this:

index=main sourcetype=access_combined_wcookie status=200 file=success.do | fields productId productName productValue | dedup productId

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma

niketn
Legend

@xpac, I wanted to add to your second point that the query in the question returns only productId field through final pipe | productId. The <fieldForLabel> and <fieldForValue> options for dropdown must contain the field names returned in the Search Query if Dynamic Options are used for building choices for the dropdown. If fields names do not match i.e. (1) either they are not present or (2) they have a different casing/name then it is expected behavior that Dropdown will show Duplicate Values Causing Conflict error.

Secondly, just FYI, the | fields command will retain the fields mentioned and also all internal fields with underscore ( _ ) i.e. _time, _raw etc. So either they need to be explicitly removed with | fields - _* or
| table command can be used for specific fields.

Ideally, as a fix following query should be used:

 index="main" sourcetype="access_combined_wcookie" status="200" file="success.do" productName="*" productValue="*"
| dedup productValue 
| table productName productValue

The base search filters and productName="*" and productValue="*" ensure events with both fields present are returned. Since productValue field is the fieldForValue, it should be unique. Hence dedup is performed on productValue. If it is not, search query should have eval to create a unique value field i.e. something like | eval productValue = productId."-".productValue.

However, having said all these, @Anirban92Chakraborty you should check query with productName and productValue in independent search. Only if they are returning these unique records for productName and productValue you should use them.

Based on the query provided are you using working with Buttercup Games Search Tutorial data from Splunk? I don't think productId field is available for source="success.do". Also productName is not present in the raw events. Splunk Documentation provides it as prices.csv lookup file to enrich product Ids with their corresponding names and prices. If it is so make sure you have the lookup file uploaded and lookup definition created. Even with the lookup file you should use productId as <fieldForValue> and productName as <fieldForName> as the field productValue does not exist (unless you have created one).

Please try out and provide further details if provided details do not work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...