Splunk Search

Why does my drop-down say "Duplicate values causing conflict" when there are no duplicate values?

SJanasek
Path Finder

I am trying to output the CUSTOMER_NAME via a csv lookup. my lookup file (lookup_test.csv) looks like that:

CUSTOMER_ID,CUSTOMER_NAME
39076,Customer1
56706,Customer2
20294,Customer3

my drop-down includes the following search string:

index="index1" sourcetype="source1" | lookup kunde_test  CUSTOMER_ID OUTPUT CUSTOMER_NAME | top 10 CUSTOMER_NAME

it now shows the following message: "Duplicate values causing conflict"

but there are not any duplicate values? what could be the problem here?

Sukisen1981
Champion

if you need just the customer_name in the drop down, why not use something like this?

 index="index1" sourcetype="source1" | lookup kunde_test  CUSTOMER_ID OUTPUT CUSTOMER_NAME | top 10 CUSTOMER_NAME dedup CUSTOMER_NAME | table CUSTOMER_NAME
0 Karma

MichaelMcAleer
Path Finder

I wanted to add in alternative answer to this solution, the whole time I have been adding the drill down filters using source XML instead of the UI, from the source XML and query run everything looked fine there were no duplicates so I was lead to searching online for answers. The "Field for Label" or "Field for Value" were fine, no different from the examples shown in the dashboard examples app, but when I looked at the filter in UI mode I noticed that there were two 'ALL = ' key/value pairs listed whereas there wasn't in the source XML. Removed the second 'All=' option and cleared the 'duplicate values causing conflict error'

0 Karma

claudio_manig
Communicator

This is often caused by using the wrong values in "Field for Label" or "Field for Value" - in my case i used the splunk field name there and not the original one out of the lookup

0 Karma

dbray_sd
Path Finder

Could you explain a little further? Maybe some examples? I think this is the exact problem I'm having, but not really understanding what Splunk wants for this simple dropdown.

0 Karma

claudio_manig
Communicator

Its kind of shaky if you ask me as i often experienced this problem - try to check you field for value and field for label entries and check wheter they are set correct.

0 Karma

jplumsdaine22
Influencer

You're missing the initial <input> tag, but otherwise it looks OK. Are you sure there are no duplicate values for CUSTOMER_NAME in kunde_test ? run

| inputlookup kunde_test | stats count by CUSTOMER_NAME | where count > 1 

to be sure

0 Karma

SJanasek
Path Finder

just forgot to copy it
input type="dropdown" token="kunde" searchWhenChanged="true"

and no, there aren't duplicate values, tested it

0 Karma

jplumsdaine22
Influencer

Hopefully someone else can help - the only other thing I can think is that you may have another token called kunde on the same dashboard

jplumsdaine22
Influencer

Can you post the xml of your dropdown?

0 Karma

SJanasek
Path Finder
  <label>Kunde</label>
  <search>
    <query>index="index1" sourcetype="source1" | lookup kunde_test CUSTOMER_ID OUTPUT CUSTOMER_NAME | top 10 CUSTOMER_NAME</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <fieldForLabel>CUSTOMER_NAME</fieldForLabel>
  <fieldForValue>CUSTOMER_NAME</fieldForValue>
</input>
0 Karma

cmerriman
Super Champion

Are you sure that no customers have the exact same name? I see that warning sometimes when I use name because two people will end up having a very common name. I changed the query, in my case, to either limit the names I cared about if it was bringing back people I didn't need, or I used the ID for the value, and I think that solved it.

SJanasek
Path Finder

Yes, I am sure, they are not even similar at all.

0 Karma

cmerriman
Super Champion

Then the only other thing I could think of could be that the percentages in the top command are coming back the same. try adding a |fields CUSTOMER_NAME to the end of the query.

Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...