Dashboards & Visualizations

How do I get this drilldown to properly pass the latest time range token value to a search?

aarzhang
New Member

This is my current search:

|tstats count as total from datamodel="XXXX" where (nodename=XXX) (EPC_Log.pageName=$pageName_tok$) groupby _time , EPC_Log.onErrorMsg ,span=$timespan_tok$| timechart limit=0 span=$timespan_tok$ sum(total) by EPC_Log.onErrorMsg|eval _earliest=_time|eval _latest=_time+_span

My drilldown looks like this:

<drilldown target="Raw Search Investigation">
       <link>
         <![CDATA[
         /app/search/search?q=search index=app host="XXX" sourcetype="XXX" domain=XXXXX pageName=$pageName_tok$ onErrorMsg="$click.name2$"  earliest=$row._time$ latest=$row._latest$   
         ]]>
       </link>
     </drilldown>

but when I click the new search like this:

index=app host="XXX" sourcetype="XXX" domain=XXX pageName=XXX onErrorMsg="Script"  earliest=1447178400.000 latest=$row._latest$

you can see that I can not get the $row._latest$ value.

Could you help me ?

0 Karma
1 Solution

frobinson_splun
Splunk Employee
Splunk Employee

Hi @aarzhang,
I'm looking at the syntax you're using to access the fields in each row, in your drilldown. Based on the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#table_.28event_...

You might want to try just $latest$ instead of $row._latest$ in the drilldown, if you haven't already. Also, depending on what you need for the earliest field, the syntax in the docs is just $earliest$. The $earliest$ and $latest$ tokens reflect the time range for the clicked table row. If this is not applicable, they reflect the time range for the search.

I hope this helps! Let me know if not.

View solution in original post

frobinson_splun
Splunk Employee
Splunk Employee

Hi @aarzhang,
I'm looking at the syntax you're using to access the fields in each row, in your drilldown. Based on the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#table_.28event_...

You might want to try just $latest$ instead of $row._latest$ in the drilldown, if you haven't already. Also, depending on what you need for the earliest field, the syntax in the docs is just $earliest$. The $earliest$ and $latest$ tokens reflect the time range for the clicked table row. If this is not applicable, they reflect the time range for the search.

I hope this helps! Let me know if not.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...