- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to modify the timerange token in drilldown?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have this timechart. I want to drill down to another search with a timerange starting 10 minutes before the moment in the timechart (which I can pass to the drilldown search as token using "$click.value$) and ending 5 minutes later.
I tried to calculate the time in the search string of the drilldown as "earliest=timestamp-600, that does not work.
Here is the table for the timechart. When clicking on the first element I want the drilldown from 14:20 until 14:35
2016-12-21 14:30:00 493.293571 800 567
2016-12-21 14:45:00 472.051973 800 560
2016-12-21 15:00:00 512.801327 800 552
2016-12-21 15:15:00 430.072523 800 537
2016-12-21 15:30:00 380.293680 800 523
2016-12-21 15:45:00 304.686207 800 510
2016-12-21 16:00:00 260.215492 800 492
2016-12-21 16:15:00 239.603977 800 468
The drilldown in the chart:
<drilldown target="blank">
<link>workload_drilldown?timestamp=$click.value$</link>
</drilldown>
Timestamp is passed to the drilldown:
workload_drilldown?timestamp=1482412500.000
In the target I can use the token like this:
latest=$timestamp$
What I would like is something like this
earliest=$timestamp$-600 latest=$timestamp$+300
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if something like this works
<drilldown target="blank">
<eval token="e">$click.value$-600</eval>
<eval token="l">$click.value$-300</eval>
<link>workload_drilldown?earliest=$e$&latest=$l$</link>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to use eval tags for your calculations using relative_time SPL function.
Either on current dashboard or your link workload_drilldown you would need to have time tokens earliest and latest (these are default fields if you have not created your own explicit time token). I have created a sample for for one of the scenarios so that you can use the eval tokens as per your needs.
<drilldown>
<eval token="EarliestTime">relative_time($click.value$,"-10m")</eval>
<eval token="LatestTime">relative_time($click.value$,"+5m")</eval>
<link>
workload_drilldown?earliest=$EarliestTime$&latest=$LatestTime$
</link>
</drilldown>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both answers are basically the same. The good news: it works! Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if something like this works
<drilldown target="blank">
<eval token="e">$click.value$-600</eval>
<eval token="l">$click.value$-300</eval>
<link>workload_drilldown?earliest=$e$&latest=$l$</link>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Had to use CDATA around the link to get the XML right but it works fine. Thanx!
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
