Solved: How to make column timechart that can drill down t...

pepper_seattle · ‎08-14-2014

Hi,

I've got a timechart which lays out the average response count for multiple groups over the last hour with a column display.

Code example:

index=*text* sourcetype=*text* groupid=* | timechart span=1m avg(response)

....
....
<drilldown>
<set token="group_tok">$click.value$</set>
</drilldown>

I want to have a drilldown that produces multiple views on the same page when one of these columns is clicked. The only catch being that the views displayed should be for the time the column appears for, ex: clicking the column for August 14th 1:00pm results in a view with only data from that date and minute of time (given that each column is a minute of data). My code allows these columns to be clicked using a , but it won't keep to that exact minute, instead giving me something from the last hour or so.

Essentially, how would I make a column timechart that can be drilled down to the clicked time?

martin_mueller · ‎08-14-2014

Check out http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/PanelreferenceforSimplifiedXML#chart_.28event_... - your chart produces $earliest$ and $latest$ tokens. Use those to set global tokens like this:

<drilldown>
  <set token="clicked_earliest">$earliest$</set>
  <set token="clicked_latest">$latest$</set>
  <set token="clicked_group">$click.name2$</set>
</drilldown>

Then use those tokens to set the time range of your drilldown searches.

View solution in original post

pal_sumit1 · ‎07-13-2018

I am also trying the same but instead of getting the earliest and latest time of particular column in timechart , I am getting time of the search, Please help.

      <query> 
 | timechart span=$range$ avg(WAIVER_OPEN_CASES) as OPEN_CASES, avg(NON_COMPLIANT_TWO_OR_MORE_METHODS) as NON_COMPLIANT_TWO_OR_MORE_METHODS </query>
    </search>

and after this chart commands and drilldown you mentioned.

ngohel · ‎08-27-2019

Excellent answer. It worked in my case. Thanks for sharing

martin_mueller · ‎08-14-2014

Check out http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/PanelreferenceforSimplifiedXML#chart_.28event_... - your chart produces $earliest$ and $latest$ tokens. Use those to set global tokens like this:

<drilldown>
  <set token="clicked_earliest">$earliest$</set>
  <set token="clicked_latest">$latest$</set>
  <set token="clicked_group">$click.name2$</set>
</drilldown>

Then use those tokens to set the time range of your drilldown searches.

james_n · ‎02-04-2019

Hi @martin_mueller , I have a similar question, could you please help on this,

i have query like | timechart count by status.
output: _time status
1/1/2018 20:10:12.214 2
10/1/2018 12:32:45.153 4

when i click on bar chart legend, _time should pass to another chart date, hour and minutes only like 1/1/2018 20:10.

martin_mueller · ‎02-04-2019

Ask a new question in order to ask a new question.

pepper_seattle · ‎08-14-2014

This worked, thanks for all the help!

somesoni2 · ‎08-14-2014

See the different tokens available on click event for drilldown.

http://docs.splunk.com/Documentation/Splunk/6.1/Viz/PanelreferenceforSimplifiedXML#Drilldown_event_t...

My suggestion will be rename avg(response) as avgResponse and then create two tokens for _time and avgResponse as $row._time$ and $row.avgResponse$. Then use the $row._time$ token to determine the earliest and latest for the subsequent panels.

How to make column timechart that can drill down to the clicked column time value?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes