Splunk Search

Clicking on stats count chart does not show results due to formatting

rijk
Explorer

When I create a graph plotting the delay in a message using count by delay:
eval Delay = strptime(Time, "%H:%M:%S") - strptime(substr(MessageTime, -4), "%H%M") | fieldformat Delay=substr(tostring(Delay,"duration"),1,8) | stats count by Delay

The graph looks ok, but when I click on a value, no events are shown. Splunk adds e.g. Delay="00:02:17" to the search, but the original Delay was in seconds and it should add Delay="137.000000" to the search. Is there a way to click on the graph but keep the ability to format the representation?

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

If you put the chart in a dashboard, you can set "dynamic drilldown" - this allows you to control what happens when you click. You can control exactly what is displayed when the user clicks, opening another search, another chart, etc.

Here is a link to the documentation: Dynamic Drilldown in dashboards and forms

There are also a lot of questions about "drilldown" in this forum, just watch the date and distinguish between versions of Splunk!

View solution in original post

0 Karma

lguinn2
Legend

If you put the chart in a dashboard, you can set "dynamic drilldown" - this allows you to control what happens when you click. You can control exactly what is displayed when the user clicks, opening another search, another chart, etc.

Here is a link to the documentation: Dynamic Drilldown in dashboards and forms

There are also a lot of questions about "drilldown" in this forum, just watch the date and distinguish between versions of Splunk!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...