Splunk Search

Query is getting error Duplicate values causing conflict


I have this data
Owner Branch# Bname
O1 B1 Bname1
O1 B2 Bname2
O2 B1 Bname3
O2 B3 Bname4
O2 B4 Bname5
O3 B3 Bname6
O3 B5 Bname7

I need to put the Bname in a dropdown where depending on the Owner (token) but the query is getting error Duplicate values causing conflict because of the multiple Branch#. I cannot dedup Branch# as this will be passed on as token to other panels when owner is chosen. If I do dedup, it will only pass the 1st occurence and other owner will not have any Branch# to chose from.

Any idea on how to manage the SPL?

0 Karma


When its passed as token to other panels along with the Owner , there should be no impact of deleting duplicate branch number in your input query as your selection from lookup or index will be based on combination of branch# and Owner. Can you please paste your code so it will be easy to understand the question.

0 Karma


During the initial load of the dropdown values, there's a duplicate error since there are multiple branch# (Owner=* and branch#=*). when a specific Owner is chosen, then the error disappears as it already has value for branches.

0 Karma


Here is the sample code for the dropdown:

>   <input type="dropdown"
> token="report"
> searchWhenChanged="true">
>         <label>Report Type</label>
>         <fieldForValue>foo</fieldForValue>
>         <search>
>           <query>| inputlookup foo.csv  | sort foo foo_label | where
> report_label="foo" 
>         </search>
>         <change>
>           <set token="foolabel">$label$</set>
>         </change>
>         <fieldForLabel>foo_label</fieldForLabel>
>         <default>foo</default>
>         <initialValue>foo</initialValue>
>       </input>
>       <input type="dropdown" token="foo2_id"
> searchWhenChanged="true">
>         <label>Foo2</label>
>         <fieldForLabel>foo_NM</fieldForLabel>
>         <fieldForValue>foo2_ID</fieldForValue>
>         <search base="foo2_metadata">
>           <query>| dedup foo2_ID | fields foo_NM foo2_ID  | sort
> foo_NM</query>
>         </search>
>         <change>
>           <set token="foo2_label">$label$</set>
>         </change>
>         <choice value="*">ALL</choice>
>         <default>*</default>
>         <initialValue>*</initialValue>
>       </input>
>       <input type="dropdown" token="foo3" searchWhenChanged="true">
>         <label>Branch</label>
>         <choice value="*">ALL</choice>
>         <fieldForLabel>foo3_NM</fieldForLabel>
>         <fieldForValue>foo3_NO</fieldForValue>
>         <search base="foo3_metadata">
>          <query>| dedup foo3_NO | search foo3_ID="$foo2_id$" | fields
> foo3_NM foo3_NO  | sort foo3_NM
>         </search>
>         <default>*</default>
>       </input>
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...