Dashboards & Visualizations

Why can't I drill down a table with the _time column renamed or converted to a different format?

LuiesCui
Communicator

Hi guys

I have a problem here and I need ur help!
I have a table in a dashboard with column _time. I would like to rename _time as time so I tried 2 methods to do that.
Method A:

index="from_host_demo" source="Perfmon:Network Interface" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time | table time collection counter Value

and Method B:

index="from_host_demo" source="Perfmon:Network Interface" | rename _time as time | table time collection counter Value| fieldformat time=strftime(time, "%Y/%m/%d %T")

Both methods work well and I got what I wanted, but I soon found I got no event if I drill down from tables and I see the format of _time causes this problem.
For example, if I drill down the second table, the search line would be

index="from_host_demo" source="Perfmon:Network Interface"  Value="283.51863284535062" | eval time=_time | search time="2015/07/30 11:26:34"

and got no events. But if I change the search line into

index="from_host_demo" source="Perfmon:Network Interface"  Value="283.51863284535062" | eval time=_time | search time="1438226794"

then the event I want comes out.
So I tried to change the drilldown link as below:

<drilldown target="_blank">
            <link>
                <![CDATA[search?q=index="from_host_demo" collection="$row.collection$" counter="$row.counter$" Value="$row.Value$" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time |where time="$row.time$"]]>
            </link>
        </drilldown>

If I drill down the table, it comes out "loading" and will not even show any result! However, when I typed the search line in the search page without tokens, but with data, it worked!

So what I want is to rename the _time column, but still have the drilldown function work. What should I do to solve this problem? And by the way, what is the difference between method A and method B? Thx a lot!

0 Karma
1 Solution

LuiesCui
Communicator

Got a solution...it works but is not perfect.

<table>
    <title>rename time</title>
    <search>
      <query>index="perform" source="Perfmon:Network118" 
        | convert timeformat="%Y/%m/%d %T" ctime(_time) as time2 
        | eval collection2 = collection | eval counter2 = counter | eval Value2 = Value
        | rename _time as time 
        | table time time2 collection collection2 counter counter2 Value Value2 
        | rename time2 as 时とき, collection2 as 集まる, counter2 as 分類, Value2 as 数値</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown target="_blank">
      <link>
        <![CDATA[search?q= search index="perform" 
        collection="$row.collection$" 
        counter="$row.counter$" 
        Value="$row.Value$" 
        _time="$row.time$"]]>
      </link>
    </drilldown>
    <fields>["时とき","集まる","分類","数値"]</fields>
</table>

For example, if you have 4 columns to show and all of them need to be renamed, you should have 8 column in your table - 4 of them to display(be renamed) and 4 for the value for drilldown. Then use row.field to take the values of the columns aren't renamed and use fields to show the columns renamed.

View solution in original post

LuiesCui
Communicator

Got a solution...it works but is not perfect.

<table>
    <title>rename time</title>
    <search>
      <query>index="perform" source="Perfmon:Network118" 
        | convert timeformat="%Y/%m/%d %T" ctime(_time) as time2 
        | eval collection2 = collection | eval counter2 = counter | eval Value2 = Value
        | rename _time as time 
        | table time time2 collection collection2 counter counter2 Value Value2 
        | rename time2 as 时とき, collection2 as 集まる, counter2 as 分類, Value2 as 数値</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown target="_blank">
      <link>
        <![CDATA[search?q= search index="perform" 
        collection="$row.collection$" 
        counter="$row.counter$" 
        Value="$row.Value$" 
        _time="$row.time$"]]>
      </link>
    </drilldown>
    <fields>["时とき","集まる","分類","数値"]</fields>
</table>

For example, if you have 4 columns to show and all of them need to be renamed, you should have 8 column in your table - 4 of them to display(be renamed) and 4 for the value for drilldown. Then use row.field to take the values of the columns aren't renamed and use fields to show the columns renamed.

woodcock
Esteemed Legend

IMHO, this is a bug and should be reported as such. Especially because this also doesn't work (and DEFINITELY should):

index="from_host_demo" source="Perfmon:Network Interface" | fieldformat _time = strftime(_time, "%Y/%m/%d %T") | table _time collection counter Value
0 Karma

LuiesCui
Communicator

yep another error 😞

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi LuiesCui,

you're aware that Splunk already has build in japanese locals?
Don't re-invent the wheel, just use this URI and you good:

http[s]://YourSplunkServer:YourSplunkPort/ja-JP/

This cannot be set by default but Splunk should switch to the correct locale if used in a japanese browser - maybe...

Hope this helps ...

cheers, MuS

MuS
SplunkTrust
SplunkTrust

And here is a nice Chrome plug-in which will take care of switching to the correct locale if Splunk does not https://chrome.google.com/webstore/detail/quick-language-switcher/pmjbhfmaphnpbehdanbjphdcniaelfie

cheers, MuS

LuiesCui
Communicator

Tried and didn't work. Can I rename those column header outside of the search line? I mean, I want to edit the column name in the xml as a property of the table. Any way to do that?

0 Karma

MuS
SplunkTrust
SplunkTrust

What did not work, using the ja-JP locale or using the fieldformat ?
Try the ja-JP locale without the fieldformat

I'm not aware of a column header rename function outside the search, but then again I'm no Web developer and I haven't used the Splunk Web Framework a lot.

LuiesCui
Communicator

Could anyone help?

0 Karma

MuS
SplunkTrust
SplunkTrust

Why do you need to rename _time ?

0 Karma

LuiesCui
Communicator

My client wants the panel shows in japanese

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...