Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiselect field with Duplicate Field Values by different labels

Melstrathdee
Path Finder
‎03-25-2019 08:18 PM

Hi All,
I have a multiselected field allowing my users to select from a list of potential hosts. However we have some users know our hosts by the common name and others know them by the server name. I am trying to list both options for the users. I have a lookup table that is getting me this list of commonname hosts with the corrosponding hostvalue.

I have the data coming from this lookup table as follows:
name | host
SYDProd | server1
MELProd | server2
BRISProd | server3
server1 | server1
server2 | server2
server3 | server3

So I want the user to be able to select everything in the name field and then use the host for the value

   <fieldForLabel>name</fieldForLabel>
      <fieldForValue>host</fieldForValue>

Because the hosts are duplicates I get the following message.
"Duplicate values causing conflict"

Is there another way of doing this?
Thanks

0 Karma
Reply

Melstrathdee
Path Finder
‎03-28-2019 03:41 PM

Thanks for the suggestion @kamlesh_vaghela, it got me moving in the right direction, really appreciate your help.

Code so Far:

| fields output host
| eval  valueList=  output + "," + host
| stats delim="," values(valueList) as valueList by host
| nomv ValueList

This gave me the following results.

SYDProd,server1,server1,server1,MELProd,server2,server2,server2

I've adjusted it a little bit and I'm getting what I need from the search.
I needed to remove the label value, remove duplicates and then pop it in the search string

New Code:

  | fields output host
    | eval  valueList=  output + "~" + host
    | eval labelList =  output
    | fields valueList labelList
    | eval tmphosts= replace(valueList,"\w{6,}~", "")
    | dedup tmphosts
    | stats delim="," values(tmphosts) as tmphosts  
    | nomv tmphosts
    | eval tmphosts= "(host=" + replace(tmphosts,",", " OR host=")+ ")"

This then gives me

(host=server1 OR host=server2 )

I would like to try and move the code to the change event on the multi-picker but the "replace" command doesn't seem to work when I move it to a change event and pop it in an evaluate . 

 <eval token="hostlist">replace($token_ServerList1|s$,"\w{6,}~", "")</eval>

I'm sure it is just a syntax issue, any ideas?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 10:37 PM

@Melstrathdee

Can you please share full XML with masking your index name and other information??

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-25-2019 11:32 PM

@Melstrathdee

In this case, I will suggest you display name comma separated with a host.
It will look like...

host | name
server1 | SYDProd,server1

Try by updating your search with below.

YOUR_SEARCH | stats delim="," values(name) as name by host | nomv name

Thanks

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...