When ever I click on a BAR of a bar graph , it drills down to search page with an error "invalid earliest_time"
How do i correct this invalid earliest_time error ?
THE TIME PICKER ON MY DASHBOARD
<input type="time" token="field3">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
THE BAR GRAPH PANEL ON MY DASHBOARD
<chart>
<search>
<query>index=abc sourcetype=xyz |dedup number| bucket _time span=$field2$| stats count by _time|tail 7|eval Target=$IncidentTitle$|fieldformat _time=strftime(_time, "$BarChartFormat$")|reverse</query>
<earliest>$field3.earliest$</earliest>
<latest>$field3.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">Target</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="trellis.enabled">0</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
The problem is you are changing the value of _time using a format of %m%y
(right?). That way Splunk is not able to transfer the right value.
If you need this format for visualization, you can create a different field and format that.
index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse
Maybe you give this a try.
The problem is you are changing the value of _time using a format of %m%y
(right?). That way Splunk is not able to transfer the right value.
If you need this format for visualization, you can create a different field and format that.
index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse
Maybe you give this a try.
Super Thanks ..!!
It worked. 🙂
@joydeep741, you are missing some really important details that would be required for us to assist you.
Can you give a sample value for
1) span=$field2$
2) fieldformat _time=strftime(_time, "$BarChartFormat$")
And what is your current <drilldown>
code for the chart?
Have you printed the tokens using <html><panel>
or <panel><title>
section to see if they have expected values on drilldown?
There seems to be some issue with $latest$
and $row._span$
tokens (I am unable to find the question which had this answer. @rjthibod @frobinson Can you help?
Meanwhile the workaround will be to use $earilest$
and $earliest$+ $tokSpan$
, where $tokSpan$
is in seconds coming from your Span dropdown.
<input type="dropdown" token="tokSpan" searchWhenChanged="true">
<label>Select Span</label>
<choice value="3600">Hourly</choice>
<choice value="86400">Daily</choice>
<default>3600</default>
</input>
Following is a run anywhere example which sets the earliest and latest token on chart drilldown and uses the same in another search
<form>
<label>Timechart drilldown with String Time to Epoch</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tokSpan" searchWhenChanged="true">
<label>Select Span</label>
<choice value="3600">Hourly</choice>
<choice value="86400">Daily</choice>
<default>3600</default>
</input>
</fieldset>
<row>
<panel>
<title>$tok_earliest$ - $tok_latest$ - $tok_span$</title>
<chart>
<search>
<query>index=_internal sourcetype=splunkd
| bin _time span=$tokSpan$
| stats count by _time
| reverse</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">linear</option>
<option name="charting.chart">line</option>
<option name="charting.chart.overlayFields">Target</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">_aggregation</option>
<drilldown>
<set token="tok_earliest">$earliest$</set>
<eval token="tok_latest">$earliest$+$tokSpan$</eval>
<set token="tok_span">$tokSpan$</set>
</drilldown>
</chart>
</panel>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd
| timechart count</query>
<earliest>$tok_earliest$</earliest>
<latest>$tok_latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">Target</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
</form>
Hi niketnilay,
1) span=$field2$
Values are like "1m", "1d", "1w" for month , day , week respectively.
2) fieldformat _time=strftime(_time, "$BarChartFormat$")
_time comes like
06-18
05-18
etc
My URL earliest and lastest values are like
earliest=06-18 latest=1530008118
This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"
I tried your example. Had to make some assumptions due to different data. So I set span=1h and left out the Target-field (including the overlay).
Problem was then, that I got no data at all due to the _time-fieldformat, which I set to some date/time-string. During drill down I got no data, but - I also got no "invalid earliest_time" error.
You may have a look in the address field of your browser after doing the drilldown. My address contained:
earliest=1529996400.000&
latest=1529996400.001&
which of course are valid times. What's in your address?
Hi rvany,
My URL earliest and lastest values are like
earliest=06-18& latest=1530008118
This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"