Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duplicate events causing conflict - how to eliminate

ablumenthal_spl
Splunk Employee
Splunk Employee
‎08-05-2015 06:55 AM

I'm trying to create a series of inputs that require a change on selection.

The first one drops down a list of users via a lookup table. It also pulls a list of states associated to their names. The query looks like this:

sourcetype=XXX | lookup territory.csv State as "Abbrev_State" OUTPUT Rep as Rep | top Rep | dedup Rep

*** my sourcetype has the information on states and cities. The original sourcetype is a CSV. I uploaded the lookup. dedup has not solved this problem for me.

The second query is meant to drop down the states associated with their names. I'm also getting the same error on duplicate labels.
Here's my Query:

sourcetype=XXX | lookup territory.csv State as "Abbrev_State" OUTPUT Rep as Rep | search Rep="XXXX" | stats values(Abbrev_State) as States | mvexpand States

My third query is meant to provide a list of the cities within that state. Again, the duplicate labels causing conflict.

sourcetype=XXX | lookup territory.csv State as "Abbrev_State" OUTPUT Rep as Rep | search Rep="XXX" "Abbrev_State"=XX | stats values(Abbrev_City) as City | mvexpand City

I've been using the GUI only to modify my inputs. I can copy the XML if necessary. Any help would appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎08-06-2015 05:50 AM

Hi,

this should be caused by a label that is more than one time in the set of labels available to your dropwown.

So you can check the options of the dropdown. Which field of your dynamic search is marked as field for the labels, and which one is marked for the values. Maybe you interchanged them?

Also, i run in in this problem often, because for a first run on the dashboard i just add some static labels and values to the inputs for test purpose. Later i implement the dynamic search, but sometimes the labels of your static options are equal to results of your dynamic search. Did you check that you have none or at least unique static labels in your dropdowns?

@richgalloway: the error is "duplicate labels causing conflict"

Greetings

Tom

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎08-06-2015 05:50 AM

Hi,

this should be caused by a label that is more than one time in the set of labels available to your dropwown.

So you can check the options of the dropdown. Which field of your dynamic search is marked as field for the labels, and which one is marked for the values. Maybe you interchanged them?

Also, i run in in this problem often, because for a first run on the dashboard i just add some static labels and values to the inputs for test purpose. Later i implement the dynamic search, but sometimes the labels of your static options are equal to results of your dynamic search. Did you check that you have none or at least unique static labels in your dropdowns?

@richgalloway: the error is "duplicate labels causing conflict"

Greetings

Tom

Reply
Solved! Jump to solution

ablumenthal_spl
Splunk Employee
Splunk Employee
‎08-06-2015 06:34 AM

Exactly my problem. Thank's Tom. I appreciate your help.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2015 08:38 AM

You say you're "getting the same error", but I don't see where you say what that error is.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ablumenthal_spl
Splunk Employee
Splunk Employee
‎08-06-2015 06:34 AM

Apologies! "Duplicate Labels causing conflict" was the error. I solved the problem per Tom's suggestion!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-05-2015 08:30 AM

The XML would be good to have for providing proper solution. Meanwhile, try this-
Replace your first query with this

sourcetype=XXX | lookup territory.csv State as "Abbrev_State" OUTPUT Rep as Rep | stats count by Rep

Replace your 2nd query with this

sourcetype=XXX | lookup territory.csv State as "Abbrev_State" OUTPUT Rep as Rep | search Rep="XXXX" | stats  count by Abbrev_State | rename Abbrev_State as States

Replace your 3rd query with this

sourcetype=XXX | lookup territory.csv State as "Abbrev_State" OUTPUT Rep as Rep | search Rep="XXX" "Abbrev_State"=XX | stats count by Abbrev_City | rename Abbrev_City as City
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...