I've been able to drilldown into a table from a single value. My final challenge is to include the current time span into the link. I've tried adding earliest/latest xml elements in the single value drilldown link element but that didn't work. I've tried to embed $form1.earliest$ & $form1.latest$ in the link, used cdata instead of URL decoding the search string without success. I've used the dashboards example app too. Any ideas on what I'm missing?
Added the XML for this single value:
<single>
<search>
<query>index=_internal</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xd93f3c"]</option>
<option name="rangeValues">[5]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Generator Queue</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<link>?q=/app/search/search/index=_internal earliest=?? latest=??</link>
</drilldown>
<option name="linkView">search</option>
</single>
How can I add the time span in ?q=/app/search/search/index=_internal earliest=?? latest=???
Mark
Following is the example I described earlier.
<single>
<search>
<query>index=_internal</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">all</option>
<drilldown>
<set token="myEarliestTime">$earliest$</set>
<set token="myLatestTime">$latest$</set>
</drilldown>
Since you plan to use earliest and latest token in a link, you will not require above example.
However, I would suggest using CDATA section so that you dont have to Escape encoded URL. You can test the same by creating a New Dashboard and call using following path for your Splunk App Name. Earliest Time and Latest Time can be passed as query strings(see example below). I will recommend you to check out various Drill Down examples provided in Splunk 6.x Dashboard Examples app.
<drilldown>
<link>
<![CDATA[
/app/<YourSplunkApp>/<YourNewDashboardorRedirection>?earliest=$earliest$&latest=$latest$
]]>
</link>
</drilldown>
You can add a Time control to the form and use its earliest and latest properties across the visualizations in your form.
For example if the added Time control is globalTime you will have $globalTIme.earliest$ and $globalTIme.latest$ available in the form.
Additionally, earliest and latest timestamp are available as Single value Tokens which can be coded under <drilldown><condition> block
Please refer to the link for Single value tokens: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_.28even...
Thanks niketnilay. I'm trying to pass the time span from a single value visualization the drilldown link so when the users click on the value, the URL associated it, that starts another search.
Have you tried using search events to capture earliest/latest? From your question, it appears you want to pass earliest/latest for the search used in the single-value panel, right? Try this (can be used for any search block)
<panel>
<single>
<search>
<query>...</query>
<done>
<set token="e">job.earliest</set>
</done>
</search>
...
</single>
</panel>
Thanks sundareshr! I've updated with the XML - hopefully that'll help. I would like the drilldown URL to execute a separate search displaying a table. How can I get the token into the link element.