Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is multiselect not working?

POR160893
Builder
‎06-19-2022 01:34 PM

Hi,

I am using a multiselect input with the following query:
|inputlookup ABC
| eval hjk=_key
| lookup XYZ asset OUTPUT ass AS name, app AS application
| stats values( application)

POR160893_0-1655670799482.png


However, when I add this onto the actual dashboard, no results are generated as expected on the actual input.


What am I doing incorrectly?

POR160893_1-1655670832518.png



Thanks,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-20-2022 12:37 AM

Hi @POR160893,

some additional info to debug your issue:

are you sure to have the asset field also in the first lookup?

in the screenshout I see that asset field is also in output and this is different than the search you shared, is it correct?

then, instead the last row, you could use 

|  stats BY application

or 

| dedup application,
| sort application
| table application

then, why do you used "| eval hjk=_key" ?

Ciao.

Giuseppe

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-19-2022 09:51 PM

@POR160893 

It looks  your search out is multivalued field and the column you have used in fieldLabel and fieldValue looks different. can you please verify the search output and the fields you have used in the MultiSelect configurations?

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...