Well, I "fixed" it...... more like smashed it with a boulder

this query did the trick, still can't figure out why there appears to be duplicate in the data when there isnt.....

index=wholesale_app|dedup buildTarget|eval stringlen=len(buildTarget)|where stringlen<10|sort buildTarget

@dbcase, there is definitely something "fishy"... and still it is "hilarious ;)"

If both stats and dedup would have given two rows I would have suspected data, but seems like confined to dedup.

Do you mind trying out another query? Also providing your Splunk Enterprise version?

index=wholesale_app
| dedup buildTarget
| table _time _raw buildTarget

Inspect the raw event and buildTarget field as to why buildTarget name appears twice in the same event. If you have created field extraction for buildTarget. Please test the regular expression with sample data on regex101.com to ensure field extraction is working fine or not.

Hi Niketnilay,

Good to know there is someone who appreciates bad humor 🙂

here is the results of your query

_time   _raw    buildTarget
2017-11-17 14:06:47 {"analyticType":"Counter","buildTarget":"Freds Fish Market","clientSessionId":"DXDKOYP-AWPEOUC","Properties":{"index":12,"args":[2],"category":"Event"}}    
Freds Fish Market
Freds Fish Market
2017-11-16 13:55:52 {"analyticType":"Counter","buildTarget":"Freds Fish Market","clientSessionId":"DXDEPQ-AOZUGSD","Properties":{"index":13,"args":[66],"category":"Event"}}    comcast

Another query gives the expected results

index=wholesale_app  sourcetype=wholesale_mobile_app | spath buildTarget  | dedup buildTarget

@dbcase, so I expect your KV_MODE and/or INDEXED_EXTRACTION modes are json in your props.conf. This seems to be problem with search time default field discovery. You should definitely report this Splunk as to why stats is working and dedup is not.

PS: If | spath is working you can use that.

I would also request you to un-accept my answer and Accept your previous comment as the answer. You can definitely up vote the comments that helped.

Hi Niketnilay,

Wow lots of things to try.... ok here goes

On the first one I get two rows

1st row = Freds Fish Market
2nd row= Freds Fish Market Freds Fish Market

The above makes me suspect I have a fishy (sorry bad pun) record in my data set

The second one yields only 1 row (but it takes a while)
1st and only row=Freds Fish Market

I didn't try the 3rd one as there will be other customers in the drop down eventually

Hi deepashri_123

I tried what you suggested

<input type="dropdown" token="mso_selection">
          <label>Select a MSO</label>
          <search>
            <query>index=wholesale_app|dedup buildTarget|table buildTarget</query>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
          </search>
          <fieldForLabel>buildTarget</fieldForLabel>
          <fieldForValue>buildTarget</fieldForValue>
        </input>

And I still have the same problem (although the order of the dropdown has changed)

I suspect the problem lies in the fieldforlabel/fieldforvalue but I don't know what changes need to be made