Splunk Search

Query is getting error Duplicate values causing conflict

teddyidc1101
Communicator

I have this data
Owner Branch# Bname
O1 B1 Bname1
O1 B2 Bname2
O2 B1 Bname3
O2 B3 Bname4
O2 B4 Bname5
O3 B3 Bname6
O3 B5 Bname7

I need to put the Bname in a dropdown where depending on the Owner (token) but the query is getting error Duplicate values causing conflict because of the multiple Branch#. I cannot dedup Branch# as this will be passed on as token to other panels when owner is chosen. If I do dedup, it will only pass the 1st occurence and other owner will not have any Branch# to chose from.

Any idea on how to manage the SPL?
Thanks!

0 Karma

Vijeta
Influencer

When its passed as token to other panels along with the Owner , there should be no impact of deleting duplicate branch number in your input query as your selection from lookup or index will be based on combination of branch# and Owner. Can you please paste your code so it will be easy to understand the question.

0 Karma

teddyidc1101
Communicator

During the initial load of the dropdown values, there's a duplicate error since there are multiple branch# (Owner=* and branch#=*). when a specific Owner is chosen, then the error disappears as it already has value for branches.

0 Karma

teddyidc1101
Communicator

Here is the sample code for the dropdown:

>   <input type="dropdown"
> token="report"
> searchWhenChanged="true">
>         <label>Report Type</label>
>         <fieldForValue>foo</fieldForValue>
>         <search>
>           <query>| inputlookup foo.csv  | sort foo foo_label | where
> report_label="foo" 
>         </search>
>         <change>
>           <set token="foolabel">$label$</set>
>         </change>
>         <fieldForLabel>foo_label</fieldForLabel>
>         <default>foo</default>
>         <initialValue>foo</initialValue>
>       </input>
>       <input type="dropdown" token="foo2_id"
> searchWhenChanged="true">
>         <label>Foo2</label>
>         <fieldForLabel>foo_NM</fieldForLabel>
>         <fieldForValue>foo2_ID</fieldForValue>
>         <search base="foo2_metadata">
>           <query>| dedup foo2_ID | fields foo_NM foo2_ID  | sort
> foo_NM</query>
>         </search>
>         <change>
>           <set token="foo2_label">$label$</set>
>         </change>
>         <choice value="*">ALL</choice>
>         <default>*</default>
>         <initialValue>*</initialValue>
>       </input>
>       <input type="dropdown" token="foo3" searchWhenChanged="true">
>         <label>Branch</label>
>         <choice value="*">ALL</choice>
>         <fieldForLabel>foo3_NM</fieldForLabel>
>         <fieldForValue>foo3_NO</fieldForValue>
>         <search base="foo3_metadata">
>          <query>| dedup foo3_NO | search foo3_ID="$foo2_id$" | fields
> foo3_NM foo3_NO  | sort foo3_NM
>         </search>
>         <default>*</default>
>       </input>
0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...