Splunk Search

Query is getting error Duplicate values causing conflict

teddyidc1101
Communicator

I have this data
Owner Branch# Bname
O1 B1 Bname1
O1 B2 Bname2
O2 B1 Bname3
O2 B3 Bname4
O2 B4 Bname5
O3 B3 Bname6
O3 B5 Bname7

I need to put the Bname in a dropdown where depending on the Owner (token) but the query is getting error Duplicate values causing conflict because of the multiple Branch#. I cannot dedup Branch# as this will be passed on as token to other panels when owner is chosen. If I do dedup, it will only pass the 1st occurence and other owner will not have any Branch# to chose from.

Any idea on how to manage the SPL?
Thanks!

0 Karma

Vijeta
Influencer

When its passed as token to other panels along with the Owner , there should be no impact of deleting duplicate branch number in your input query as your selection from lookup or index will be based on combination of branch# and Owner. Can you please paste your code so it will be easy to understand the question.

0 Karma

teddyidc1101
Communicator

During the initial load of the dropdown values, there's a duplicate error since there are multiple branch# (Owner=* and branch#=*). when a specific Owner is chosen, then the error disappears as it already has value for branches.

0 Karma

teddyidc1101
Communicator

Here is the sample code for the dropdown:

>   <input type="dropdown"
> token="report"
> searchWhenChanged="true">
>         <label>Report Type</label>
>         <fieldForValue>foo</fieldForValue>
>         <search>
>           <query>| inputlookup foo.csv  | sort foo foo_label | where
> report_label="foo" 
>         </search>
>         <change>
>           <set token="foolabel">$label$</set>
>         </change>
>         <fieldForLabel>foo_label</fieldForLabel>
>         <default>foo</default>
>         <initialValue>foo</initialValue>
>       </input>
>       <input type="dropdown" token="foo2_id"
> searchWhenChanged="true">
>         <label>Foo2</label>
>         <fieldForLabel>foo_NM</fieldForLabel>
>         <fieldForValue>foo2_ID</fieldForValue>
>         <search base="foo2_metadata">
>           <query>| dedup foo2_ID | fields foo_NM foo2_ID  | sort
> foo_NM</query>
>         </search>
>         <change>
>           <set token="foo2_label">$label$</set>
>         </change>
>         <choice value="*">ALL</choice>
>         <default>*</default>
>         <initialValue>*</initialValue>
>       </input>
>       <input type="dropdown" token="foo3" searchWhenChanged="true">
>         <label>Branch</label>
>         <choice value="*">ALL</choice>
>         <fieldForLabel>foo3_NM</fieldForLabel>
>         <fieldForValue>foo3_NO</fieldForValue>
>         <search base="foo3_metadata">
>          <query>| dedup foo3_NO | search foo3_ID="$foo2_id$" | fields
> foo3_NM foo3_NO  | sort foo3_NM
>         </search>
>         <default>*</default>
>       </input>
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...