Hi,
I've got a timechart which lays out the average response count for multiple groups over the last hour with a column display.
Code example:
index=*text* sourcetype=*text* groupid=* | timechart span=1m avg(response)
....
....
<drilldown>
<set token="group_tok">$click.value$</set>
</drilldown>
I want to have a drilldown that produces multiple views on the same page when one of these columns is clicked. The only catch being that the views displayed should be for the time the column appears for, ex: clicking the column for August 14th 1:00pm results in a view with only data from that date and minute of time (given that each column is a minute of data). My code allows these columns to be clicked using a
Essentially, how would I make a column timechart that can be drilled down to the clicked time?
Check out http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/PanelreferenceforSimplifiedXML#chart_.28event_... - your chart produces $earliest$
and $latest$
tokens. Use those to set global tokens like this:
<drilldown>
<set token="clicked_earliest">$earliest$</set>
<set token="clicked_latest">$latest$</set>
<set token="clicked_group">$click.name2$</set>
</drilldown>
Then use those tokens to set the time range of your drilldown searches.
I am also trying the same but instead of getting the earliest and latest time of particular column in timechart , I am getting time of the search, Please help.
<query>
| timechart span=$range$ avg(WAIVER_OPEN_CASES) as OPEN_CASES, avg(NON_COMPLIANT_TWO_OR_MORE_METHODS) as NON_COMPLIANT_TWO_OR_MORE_METHODS </query>
</search>
and after this chart commands and drilldown you mentioned.
Excellent answer. It worked in my case. Thanks for sharing
Check out http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/PanelreferenceforSimplifiedXML#chart_.28event_... - your chart produces $earliest$
and $latest$
tokens. Use those to set global tokens like this:
<drilldown>
<set token="clicked_earliest">$earliest$</set>
<set token="clicked_latest">$latest$</set>
<set token="clicked_group">$click.name2$</set>
</drilldown>
Then use those tokens to set the time range of your drilldown searches.
Hi @martin_mueller , I have a similar question, could you please help on this,
i have query like | timechart count by status.
output: _time status
1/1/2018 20:10:12.214 2
10/1/2018 12:32:45.153 4
when i click on bar chart legend, _time should pass to another chart date, hour and minutes only like 1/1/2018 20:10.
Ask a new question in order to ask a new question.
This worked, thanks for all the help!
See the different tokens available on click event for drilldown.
My suggestion will be rename avg(response) as avgResponse and then create two tokens for _time and avgResponse as $row._time$ and $row.avgResponse$. Then use the $row._time$ token to determine the earliest and latest for the subsequent panels.