Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass dates from table drilldown into earliest in new dashboard?

ipicbc
Explorer
‎03-28-2017 08:36 AM

In dashboard A, I have a table, and the drilldown passes 2 variables like this :` 

<drilldown target="blank">
<link>came_log_viewer_drilldown?form.inhost=$row.host$&amp;form.intime=$row._time$</link>
</drilldown>

In the receiving dashboard (came_log_viewer_drilldown) the query for the resulting table looks like this :

<query>index=camlog host=$form.inhost$ log_level=* | table log_timestamp host log_level log_thread log_msg | sort log_timestamp</query>
<earliest>$form.intime$</earliest>

This works fine with both tokens getting passed over correctly. HOWEVER, I need to subtract 60 seconds from the earliest time on the 2nd dashboard table. I think that I want to run an eval which says something like $form.intime$-60s. I don't see a way of running an eval unless I put the earliest inside the body of the query - when I do that it fails, and I cannot find any way to make it work.

Thanks for any advice!

0 Karma
Reply

niketn
Legend
‎03-28-2017 12:43 PM

@ipicbc please try adding the following in your drilldown to populate adjusted
Option 1 - Use eval option to calculate clicked time -30 seconds.

<drilldown target="blank">
   <eval token="adjustedEarliestTime">relative_time($click.value$,"30s")</eval>
   <link>came_log_viewer_drilldown?form.inhost=$row.host$&amp;form.intime=$adjustedEarliestTime$</link>
</drilldown>

Refer to Splunk Documentation for tokens available in Dynamic Drilldown, which mentions that _time if present will be $click.value$ : http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_dynamic_drilldow...

Option 2
Calculate AdjustedEarliestTime in your Splunk search

| eval AdjustedEarliestTime=relative_time(_time,"-30s")

Using fields option for table display only the required fields and make AdjustedEarliestTime as hidden.

<fields>_time, YourField1, YourField2</fields>

When you perform drilldown you can search for $row.AdjustedEarliestTime$ to pass on the value to external link.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

lguinn2
Legend
‎03-28-2017 12:06 PM

First have you tried this in your target form?

 <earliest>$form.intime$-60s</earliest>

I believe the above may work and solve the problem. But if it doesn't work, I would try using this in the target form:

<form>
  <label>Example</label>
  <init>
    <eval token="newTime">relative_time($intime$,-60s)</set>
  </init>

Then, in the later in the dashboard, use $newTime$ instead of $form.intime$

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...