At the moment, this token is not been used.

I don't know how to incorporate it into one of my queries so that duplicates over 4 fields are detected.

As you can see from the below code, I am already using the tokens from the other inputs in the base searches:

However, for this checkbox, since I need to detect duplicates across source IP, dest IP, dest Port AND sourcetype, and I am already using a sourcetype token in my dropdown, I don't know how to make use make use of the 1 token in the checkbox when it would make sense to have 4 tokens ....... can you please help

I think you only need one token, not 4 for dedup.  Just add the token between the table and first lookup commands.

| table ...
$checkboxDedup$
| lookup ...

When I added the dedup in between the table and lookup, the UI is now looking for some argument:




Can you  please help?

Since the token already contains a dedup command, saying | dedup $checkboxDedup$ is equivalent to saying | dedup | dedup $sourcetype_tok$, $dest$, $src$, $port$.

Try the answer provided or change the token to not contain "| dedup" 

Hey, The submit button with the Dedup condition does work now .... but only on fields with the same name across both indexes. Here is the source query with the Dedup token been used:

However, I need to also have it check for dedup for src_ip and dest_ip. My issue is on the 2nd index, these two fields are called src and dest, respectively.



I tried using both names with an OR in the dedup but that did not work. Can you please help?

The dedup command does not accept expressions - only field names.  You'll probably need to normalize the field names using rename or coalesce (or other method) for dedup to work as expected.

Have you considered using the submit button? In order to use the submit button you have to change  "search on change" off on all your other inputs.

-Marco

The submit button with the Dedup condition does work now .... but only on fields with the same name across both indexes. Here is the source query with the Dedup token been used:

However, I need to also have it check for dedup for src_ip and dest_ip. My issue is on the 2nd index, these two fields are called src and dest, respectively.



I tried using both names with an OR in the dedup but that did not work. Can you please help?

I've had the exact same use case and found a work around. Added this just in case anyone else stumbles across it.

Update the default option to noop, so it reverts to this when the checkbox is deselected
<input type="checkbox" token="dedupresults">
<choice value="dedup src,dest">Dedup</choice>
<default>noop</default>
</input>

And insert the token into your search. 
.... | $dedupresults$ | .....

This will result in the search being either

... | dedup src,dest | .....  or ... | noop | .....