Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Drilldown: Use starttime of bar in timechart as `earliest` field in subsequent search

viggor
Path Finder
‎09-29-2017 04:12 PM

After spending hours unsuccessfully searching the splunk answers for a solution I would like to phrase my question:

I have a timechart which I display in a dashboard.
When I click on a bar, I would like that a new search is triggered with the time interval matching that of the clicked bin in the timechart.

Unfortunately, using

<drilldown>
     <set token="tok_ear">$earliest$</set>
     <set token="tok_lat">$latest$</set>
</drilldown>

does not give me the timeinterval of the clicked bin, but of the whole timechart query.

On the other hand 

$click.value$

does give me right start time, but in the following format

2017-09-29T01:00:00.000-04:00

which I then can't use to set my field

      <earliest></earliest>
      <latest></latest>

in the query.

I could reformat the $click.value$ string to the expected epoch format, using 

strftime("2017-09-27T22:04:00.000-04:00", "%Y-%m-%dT%H:%M:%S.%3N-%:z")

but I don't know if I can run this command as a script in the dashboard xml.

Does anybody have a solution for this? I am a bit amazed that this is such a struggle, seams like a common use-case.

0 Karma
Reply

niketn
Legend
‎10-01-2017 09:32 PM

@viggor, If the default drilldown token for charts i.e. $earliest$ and $latest$ are defaulting to Search time range instead of clicked row value, it implies that you do not have _time field available. Please make sure your final search command is timechart or chart with _time field. Please refer to the Splunk documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#chart_2

Following is a run anywhere search based on Splunk _internal index.

alt text

<form>
  <label>Chart Drilldown default tokens earliest and latest</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| timechart span=1h count</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <set token="earliestTime">$earliest$</set>
          <set token="latestTime">$latest$</set>
          <set token="eventCount">$click.value2$</set>
          <eval token="duration">$latest$-$earliest$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          Earliest: $earliestTime$<br/>
          Latest: $latestTime$<br/>
          Duration: $duration$<br/>
          Events: $eventCount$
        </div>
      </html>
    </panel>
  </row>
</form>

PS: Please change accordingly for your usecase. If the same is not working please provide your existing Splunk search query.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
0 Karma
Reply

rjthibod
Champion
‎09-30-2017 03:21 AM

First, $earliest$ should work if you are clicking on the segments (not the legend) and you are properly generating the time values for the search. You would need to share more information about the top-level search in order to troubleshoot that a little more.

Using your current drilldown approach with $click.value$, you can wrap the strptime step in an <eval> block if you are on Splunk 6.3 or newer. You need to know the charting time span in order to get the value for latest, so that gets back to the original issue of how are you generating the data using timechart or chart. Lastly, you want strptime, not strftime.

<drilldown>
  <eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
  <eval token="tok_lat">'tok_ear' + 'row._span'</eval>
</drilldown>
Reply

viggor
Path Finder
‎10-02-2017 12:59 PM

Hi rjthibod, thanks a lot for your comment.
I tried to use 

<drilldown>
   <eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
 </drilldown>

but the tok_ear variable does not seem to be defined.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...