Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I drilldown time?

appleman
Contributor
‎03-07-2014 09:20 AM

Hello,

I want to drilldown the time I pick from timechart as well as the click value on the dashboard.
So I made the XML but it only drilldown the click value, but not time.
How can I drilldown the time as well?

Here is my XML below.

<form>

  <label>ログ検索</label>
   <description>トラブルシュート用</description>
    <fieldset autoRun="true" submitButton="false">
       <input type="text" token="number"/>
       <input type="time" searchWhenChanged="true">
        <default>Today</default>
       </input>
     </fieldset>
  <row>
     <table>
      <title>オペレーション</title>
       <searchString>source=operation $number$ | table _time unitid number sequence opid command status</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <drilldown target="_blank">
        <link>
        <![CDATA[/app/search/mdm_log_search1?form.incomingToken=$row.command$&earliest=$earliest$&latest=$latest$]]>
        </link>
        </drilldown>
        <option name="drilldown">cell</option>
        <option name="count">30</option>
     </table>
  </row>
</form>

Thank you.

0 Karma
Reply

gauldridge
Path Finder
‎03-10-2014 10:06 PM

The drilldown in this XML is sending the earliest and latest times based on the time range chosen by the user through the time picker. If that is the time range you are trying to send to your drilldown, you should first change the default section of the time picker to:

<default>
  <earliest>@d</earliest>
  <latest>now</latest>
</default>

Otherwise it will default to "All Time" because the syntax above is incorrect (for Splunk 6 at least). Also, is this the full XML of the view? You mention a timechart but there isn't one in this XML.

-----UPDATE STARTS HERE-----

Since you are already sending other tokens to a drilldown form search, you can send the _time value as well. Just change your drilldown link to this:

<![CDATA[/app/search/mdm_log_search1?form.incomingToken=$row.command$&form.timestamp=$row._time$&earliest=$earliest$&latest=$latest$]]>

I added the &form.timestamp=$row._time$ section to your link. On the drilldown target, you will have <input type="text" token="timestamp" /> to receive the second incoming token. Here's a quick working example of a Main Form Search and the Drilldown Form Search showing how to send the exact time stamp to a drilldown form search:

  <form>
  <label>Main Form Search XML</label>
  <description/>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>@d</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <table>
      <searchString>index=_internal | table _time,clientip</searchString>
      <earliestTime>-4h@m</earliestTime>
      <latestTime>now</latestTime>
      <drilldown target="_blank">
        <link>
          <![CDATA[/app/search/drilldown_landing?form.timestamp=$row._time$]]>
        </link>
      </drilldown>
    </table>
  </row>
</form>



<form>
  <label>Drilldown Form Search Landing</label>
  <description/>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default/>
    </input>
    <input type="text" token="timestamp"/>
  </fieldset>
  <row>
    <event>
      <searchString>index=_internal _time=[| gentimes start=-1 | eval x=strptime("$timestamp$","%FT%H:%M:%S.%3N%z") | fields x | rename x AS search]</searchString>
      <earliestTime>0</earliestTime>
      <latestTime>now</latestTime>
    </event>
  </row>
</form>

Just make sure you use the proper time format string in strptime() in the drilldown form search. Otherwise, you'll get no results. Also, keep in mind that sending an exact time stamp like this will only get you events with that exact time stamp.

Reply

gauldridge
Path Finder
‎03-11-2014 07:45 PM

@appleman, please see my updated answer above.

0 Karma
Reply

appleman
Contributor
‎03-10-2014 10:44 PM

Thank you. And yes, it's my full sample XML and I'm sorry, there was no timechart. I meant _time in the table.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...