Splunk Search

Why does dedup command with sortby parameter in base searches produce duplicate results in Splunk 7.1.4?

andrewtrobec
Motivator

Good morning,

I've noticed a strange phenomenon with Splunk Enterprise 7.1.4 base searches and I wanted to see whether anyone else has noticed it too. Here is what I've done:

  1. Created accelerated data model
  2. Used accelerated data model in a base search
  3. Within the base search I use the dedup command with sortby parameter
  4. Created a panel based on the base search and used timechart command
  5. Made the panel a single with sparkline

Now for the weird part. The dashboard doubles the results in the panel! If I open the panel in search through the magnifying glass icon it shows the correct, non-doubled value. After further analysis I've found that there are two ways to get the panel working properly:

  1. Remove the base search and replicate it to each panel, which is inefficient
  2. Remove the sortby parameter from the base search

Is this a bug in Splunk? Before anyone asks, no there are no duplicate events in the index.

Regards,

Andrew

0 Karma

woodcock
Esteemed Legend

open a support case and ask Splunk.

0 Karma

jnahuelperez35
Path Finder

Please, take a look at this question about populating dropdown items https://answers.splunk.com/answers/145911/how-to-populate-dropdown-input-with-ids-from-search.html

0 Karma

woodcock
Esteemed Legend

Show some events and show the XML, so that we can try to reproduce it.

andrewtrobec
Motivator

@woodcock I've tried to isolate and reproduce the issue in the search app but I cannot... I asked the question to see whether there was a known issue. I wonder if it is permission related or whether there is some config file that causes this phenomenon.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...