Splunk Search

Multiselect field with Duplicate Field Values by different labels

Melstrathdee
Path Finder

Hi All,
I have a multiselected field allowing my users to select from a list of potential hosts. However we have some users know our hosts by the common name and others know them by the server name. I am trying to list both options for the users. I have a lookup table that is getting me this list of commonname hosts with the corrosponding hostvalue.

I have the data coming from this lookup table as follows:
name | host
SYDProd | server1
MELProd | server2
BRISProd | server3
server1 | server1
server2 | server2
server3 | server3

So I want the user to be able to select everything in the name field and then use the host for the value

   <fieldForLabel>name</fieldForLabel>
      <fieldForValue>host</fieldForValue>

Because the hosts are duplicates I get the following message.
"Duplicate values causing conflict"

Is there another way of doing this?
Thanks

0 Karma

Melstrathdee
Path Finder

Thanks for the suggestion @kamlesh_vaghela, it got me moving in the right direction, really appreciate your help.

Code so Far:

| fields output host
| eval  valueList=  output + "," + host
| stats delim="," values(valueList) as valueList by host
| nomv ValueList

This gave me the following results.

SYDProd,server1,server1,server1,MELProd,server2,server2,server2

I've adjusted it a little bit and I'm getting what I need from the search.
I needed to remove the label value, remove duplicates and then pop it in the search string

New Code:

  | fields output host
    | eval  valueList=  output + "~" + host
    | eval labelList =  output
    | fields valueList labelList
    | eval tmphosts= replace(valueList,"\w{6,}~", "")
    | dedup tmphosts
    | stats delim="," values(tmphosts) as tmphosts  
    | nomv tmphosts
    | eval tmphosts= "(host=" + replace(tmphosts,",", " OR host=")+ ")"

This then gives me

(host=server1 OR host=server2 )

I would like to try and move the code to the change event on the multi-picker but the "replace" command doesn't seem to work when I move it to a change event and pop it in an evaluate .

 <eval token="hostlist">replace($token_ServerList1|s$,"\w{6,}~", "")</eval>

I'm sure it is just a syntax issue, any ideas?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Melstrathdee

Can you please share full XML with masking your index name and other information??

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Melstrathdee

In this case, I will suggest you display name comma separated with a host.
It will look like...

host | name
server1 | SYDProd,server1

Try by updating your search with below.

YOUR_SEARCH | stats delim="," values(name) as name by host | nomv name

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...