Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duplicate Values causing Conflict | Can't Fix

kokanne
Communicator
‎04-30-2018 12:44 AM

Hey, I'm trying to create a dashboard where there can be multiple entries for a field. There is a report behind my multi-select value on the dashboard.

I have made sure to name everything appropriately and that there are no duplicate fields. My query for the report is:
-snip-

I don't understand why it still says that duplicate values are causing a conflict. The following are my settings in the dashboard:

-snip-

Is there anything that can be done to fix this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kokanne
Communicator
‎05-06-2018 11:18 PM

The answer was changing the label and the value. Besides that I changed the sort to sort 0 - CVE

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kokanne
Communicator
‎05-06-2018 11:18 PM

The answer was changing the label and the value. Besides that I changed the sort to sort 0 - CVE

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-30-2018 09:15 AM

Try this (cut and paste so you don't have problems mis-typing whitespace); this assumes that there are no commas in the CVE names:

| inputlookup qualys_kb_lookup 
| makemv delim="," CVE
| mvexpand CVE 
| rex field=CVE mode=sed "s/^[\r\n\s]+// s/[\r\n\s]+$//"
| search CVE= "*" 
| dedup CVE 
| sort 0 - CVE 
| fields CVE
0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 02:19 AM

Two hints:
The line | search CVE= "*" contains a space, that might cause trouble.
The sort function has an implicit limit of 10000, so you might not get all results. Improve this by using | sort 0 -CVE.

0 Karma
Reply
Solved! Jump to solution

kokanne
Communicator
‎04-30-2018 06:50 AM

This works and is populating, but the dashboard gets stuck when I try to put anything in, it doesn't let me enter anything and crashes.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-30-2018 12:52 AM

@kokanne,

I hope you checked data with Executing search in search bar and no value is duplicated.

Can you please correct in settings.

Field for Label: label
Field for Value: value

to 

Field for Label: CVE
Field for Value: CVE

Thanks

Reply
Solved! Jump to solution

kokanne
Communicator
‎04-30-2018 06:50 AM

This works and is populating, but the dashboard gets stuck when I try to put anything in, it doesn't let me enter anything and crashes.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...