Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiselect field with Duplicate Field Values by different labels

Melstrathdee
Path Finder
‎03-25-2019 08:18 PM

Hi All,
I have a multiselected field allowing my users to select from a list of potential hosts. However we have some users know our hosts by the common name and others know them by the server name. I am trying to list both options for the users. I have a lookup table that is getting me this list of commonname hosts with the corrosponding hostvalue.

I have the data coming from this lookup table as follows:
name | host
SYDProd | server1
MELProd | server2
BRISProd | server3
server1 | server1
server2 | server2
server3 | server3

So I want the user to be able to select everything in the name field and then use the host for the value

   <fieldForLabel>name</fieldForLabel>
      <fieldForValue>host</fieldForValue>

Because the hosts are duplicates I get the following message.
"Duplicate values causing conflict"

Is there another way of doing this?
Thanks

0 Karma
Reply

Melstrathdee
Path Finder
‎03-28-2019 03:41 PM

Thanks for the suggestion @kamlesh_vaghela, it got me moving in the right direction, really appreciate your help.

Code so Far:

| fields output host
| eval  valueList=  output + "," + host
| stats delim="," values(valueList) as valueList by host
| nomv ValueList

This gave me the following results.

SYDProd,server1,server1,server1,MELProd,server2,server2,server2

I've adjusted it a little bit and I'm getting what I need from the search.
I needed to remove the label value, remove duplicates and then pop it in the search string

New Code:

  | fields output host
    | eval  valueList=  output + "~" + host
    | eval labelList =  output
    | fields valueList labelList
    | eval tmphosts= replace(valueList,"\w{6,}~", "")
    | dedup tmphosts
    | stats delim="," values(tmphosts) as tmphosts  
    | nomv tmphosts
    | eval tmphosts= "(host=" + replace(tmphosts,",", " OR host=")+ ")"

This then gives me

(host=server1 OR host=server2 )

I would like to try and move the code to the change event on the multi-picker but the "replace" command doesn't seem to work when I move it to a change event and pop it in an evaluate . 

 <eval token="hostlist">replace($token_ServerList1|s$,"\w{6,}~", "")</eval>

I'm sure it is just a syntax issue, any ideas?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 10:37 PM

@Melstrathdee

Can you please share full XML with masking your index name and other information??

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-25-2019 11:32 PM

@Melstrathdee

In this case, I will suggest you display name comma separated with a host.
It will look like...

host | name
server1 | SYDProd,server1

Try by updating your search with below.

YOUR_SEARCH | stats delim="," values(name) as name by host | nomv name

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...