Dashboards & Visualizations

Why is the drilldown giving "INVALID EARLIEST_TIME" on the bar graph?

joydeep741
Path Finder

When ever I click on a BAR of a bar graph , it drills down to search page with an error "invalid earliest_time"
How do i correct this invalid earliest_time error ?

THE TIME PICKER ON MY DASHBOARD

<input type="time" token="field3">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
</input>

THE BAR GRAPH PANEL ON MY DASHBOARD

<chart>
        <search>
          <query>index=abc sourcetype=xyz  |dedup number| bucket _time span=$field2$| stats count by _time|tail 7|eval Target=$IncidentTitle$|fieldformat _time=strftime(_time, "$BarChartFormat$")|reverse</query>

          <earliest>$field3.earliest$</earliest>
          <latest>$field3.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
      </chart>
0 Karma
1 Solution

rvany
Communicator

The problem is you are changing the value of _time using a format of %m%y(right?). That way Splunk is not able to transfer the right value.

If you need this format for visualization, you can create a different field and format that.

index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse

Maybe you give this a try.

View solution in original post

0 Karma

rvany
Communicator

The problem is you are changing the value of _time using a format of %m%y(right?). That way Splunk is not able to transfer the right value.

If you need this format for visualization, you can create a different field and format that.

index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse

Maybe you give this a try.

0 Karma

joydeep741
Path Finder

Super Thanks ..!!

It worked. 🙂

0 Karma

niketn
Legend

@joydeep741, you are missing some really important details that would be required for us to assist you.
Can you give a sample value for
1) span=$field2$
2) fieldformat _time=strftime(_time, "$BarChartFormat$")

And what is your current <drilldown> code for the chart?
Have you printed the tokens using <html><panel> or <panel><title> section to see if they have expected values on drilldown?

There seems to be some issue with $latest$ and $row._span$ tokens (I am unable to find the question which had this answer. @rjthibod @frobinson Can you help?

Meanwhile the workaround will be to use $earilest$ and $earliest$+ $tokSpan$, where $tokSpan$ is in seconds coming from your Span dropdown.

<input type="dropdown" token="tokSpan" searchWhenChanged="true">
  <label>Select Span</label>
  <choice value="3600">Hourly</choice>
  <choice value="86400">Daily</choice>
  <default>3600</default>
</input>

Following is a run anywhere example which sets the earliest and latest token on chart drilldown and uses the same in another search

<form>
  <label>Timechart drilldown with String Time to Epoch</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tokSpan" searchWhenChanged="true">
      <label>Select Span</label>
      <choice value="3600">Hourly</choice>
      <choice value="86400">Daily</choice>
      <default>3600</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$tok_earliest$ - $tok_latest$ - $tok_span$</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd
| bin _time span=$tokSpan$
| stats count by _time
| reverse</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
        <drilldown>
          <set token="tok_earliest">$earliest$</set>
          <eval token="tok_latest">$earliest$+$tokSpan$</eval>
          <set token="tok_span">$tokSpan$</set>
        </drilldown>
      </chart>
    </panel>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd
| timechart count</query>
          <earliest>$tok_earliest$</earliest>
          <latest>$tok_latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

joydeep741
Path Finder

Hi niketnilay,

1) span=$field2$

Values are like "1m", "1d", "1w" for month , day , week respectively.
2) fieldformat _time=strftime(_time, "$BarChartFormat$")
_time comes like
06-18
05-18
etc

My URL earliest and lastest values are like

earliest=06-18 latest=1530008118

This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"

0 Karma

rvany
Communicator

I tried your example. Had to make some assumptions due to different data. So I set span=1h and left out the Target-field (including the overlay).

Problem was then, that I got no data at all due to the _time-fieldformat, which I set to some date/time-string. During drill down I got no data, but - I also got no "invalid earliest_time" error.

You may have a look in the address field of your browser after doing the drilldown. My address contained:

earliest=1529996400.000&
latest=1529996400.001&

which of course are valid times. What's in your address?

0 Karma

joydeep741
Path Finder

Hi rvany,

My URL earliest and lastest values are like

earliest=06-18& latest=1530008118

This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...