Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiselect field with Duplicate Field Values by different labels

Melstrathdee
Path Finder
‎03-25-2019 08:18 PM

Hi All,
I have a multiselected field allowing my users to select from a list of potential hosts. However we have some users know our hosts by the common name and others know them by the server name. I am trying to list both options for the users. I have a lookup table that is getting me this list of commonname hosts with the corrosponding hostvalue.

I have the data coming from this lookup table as follows:
name | host
SYDProd | server1
MELProd | server2
BRISProd | server3
server1 | server1
server2 | server2
server3 | server3

So I want the user to be able to select everything in the name field and then use the host for the value

   <fieldForLabel>name</fieldForLabel>
      <fieldForValue>host</fieldForValue>

Because the hosts are duplicates I get the following message.
"Duplicate values causing conflict"

Is there another way of doing this?
Thanks

0 Karma
Reply

Melstrathdee
Path Finder
‎03-28-2019 03:41 PM

Thanks for the suggestion @kamlesh_vaghela, it got me moving in the right direction, really appreciate your help.

Code so Far:

| fields output host
| eval  valueList=  output + "," + host
| stats delim="," values(valueList) as valueList by host
| nomv ValueList

This gave me the following results.

SYDProd,server1,server1,server1,MELProd,server2,server2,server2

I've adjusted it a little bit and I'm getting what I need from the search.
I needed to remove the label value, remove duplicates and then pop it in the search string

New Code:

  | fields output host
    | eval  valueList=  output + "~" + host
    | eval labelList =  output
    | fields valueList labelList
    | eval tmphosts= replace(valueList,"\w{6,}~", "")
    | dedup tmphosts
    | stats delim="," values(tmphosts) as tmphosts  
    | nomv tmphosts
    | eval tmphosts= "(host=" + replace(tmphosts,",", " OR host=")+ ")"

This then gives me

(host=server1 OR host=server2 )

I would like to try and move the code to the change event on the multi-picker but the "replace" command doesn't seem to work when I move it to a change event and pop it in an evaluate . 

 <eval token="hostlist">replace($token_ServerList1|s$,"\w{6,}~", "")</eval>

I'm sure it is just a syntax issue, any ideas?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 10:37 PM

@Melstrathdee

Can you please share full XML with masking your index name and other information??

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-25-2019 11:32 PM

@Melstrathdee

In this case, I will suggest you display name comma separated with a host.
It will look like...

host | name
server1 | SYDProd,server1

Try by updating your search with below.

YOUR_SEARCH | stats delim="," values(name) as name by host | nomv name

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...