Getting Data In

How to show event in drilldown from a clickable timestamp

sachinbansal
New Member

I want to show event in drilldown for specific timestamp I click on in source dashboard table.
Please help me with this.

0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Hi @sachinbansal,

If you are having timechart and you want to see events related to point you click on it, follow below steps:

  • Click edit dashboard
  • Click on three vertical dots on the panel top-right
  • Edit drilldown
  • Select "Link to Search"
  • Keep the value "Auto" and Apply.
  • Save the dashboard and now if you click on the chart you will see events related to point you clicked on.

One thing you require to understand is that the point you see on timechart is not necessarily related to only one event. As timechart groups the event to limit the data points. For example if you choose Last 24 hours it groups the data in 1 hour of span and on drilldown you will see related events.

But if you want to use some other dashboard to panel to show you can use $earliest$ and $latest$ to get earliest value and latest value use it like below to drilldown.

<drilldown>
    <link target="_blank">/app/my_app/new_dashboard?earliest=$earliest$&latest=$latest$</link>
</drilldown>

Hope this helps!!!

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @sachinbansal,

If you are having timechart and you want to see events related to point you click on it, follow below steps:

  • Click edit dashboard
  • Click on three vertical dots on the panel top-right
  • Edit drilldown
  • Select "Link to Search"
  • Keep the value "Auto" and Apply.
  • Save the dashboard and now if you click on the chart you will see events related to point you clicked on.

One thing you require to understand is that the point you see on timechart is not necessarily related to only one event. As timechart groups the event to limit the data points. For example if you choose Last 24 hours it groups the data in 1 hour of span and on drilldown you will see related events.

But if you want to use some other dashboard to panel to show you can use $earliest$ and $latest$ to get earliest value and latest value use it like below to drilldown.

<drilldown>
    <link target="_blank">/app/my_app/new_dashboard?earliest=$earliest$&latest=$latest$</link>
</drilldown>

Hope this helps!!!

0 Karma

sachinbansal
New Member

Hi,

I completely understand your point but my objective is different.
I have a table in source dashboard and when i click anywhere in any row it should shows the complete event of that selected row ( or you can say from which particular event those row values are extracted) in drilldown search. As in table i have statistical data but in drill down search i want that full event.
i have _time column in my table so i try to use '|where _time=$click.value$' but it is not working.

Thanks a lot!!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

If you want to use click.value then _time field should be the first column of your table if it is not then use $row._time$ instead. And _time should not be in epoch format only not in string. If it is converted then you can try converting back to epoch format as suggested by @niketn in the comment with eval as <eval token="earliest_time">strptime($click.value$, <format of the string>)</eval>.

<drilldown>
  <eval token="latest_time">$click.value$+$row._span$</eval>
  <link target="_blank">/app/my_app/search?q=index=_internal&amp;earliest=$click.value$&amp;latest=$latest_time$</link>
</drilldown>
0 Karma

sachinbansal
New Member

@VatsalJagani - It worked. Thanks a lot 🙂

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@sachinbansal - Nice to here that. Please approve and up-vote if you like it. So future user get benefit. Thanks!!!

0 Karma

sachinbansal
New Member

Accepted your answer. Anything else i need to do?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

No. Thanks a lot!!, If you like it up-vote the answer. I hope you are getting proper guidance from Splunk-Answers community.

0 Karma

sachinbansal
New Member

yes. thanks

0 Karma

niketn
Legend

@sachinbansal if your ask is to get the earliest and latest from timechart table you can refer to the following workaround based answer https://answers.splunk.com/answers/587132/drilldown-pass-the-earliest-and-latest-from-a-time.html

<drilldown>
           <eval token="drilldown.earliest">strptime($row._time$,"%Y-%m-%d %H:%M:%S")</eval>
           <eval token="drilldown.latest">strptime($row._time$,"%Y-%m-%d %H:%M:%S") + $row._span$</eval>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sachinbansal
New Member

Hi Niketn,
I do not want to pass earliest and latest from timechart table. I want that when i click on any row in table it should drill down to that particular full event.

Regards,
Sachin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sachinbansal,
I suggest to see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) where you can find very useful examples of hot to drilldown from a table.
Anyway, let me understand:

  • you have a list of events in a dashboard panel,
  • you want to click on one of these events
  • and search in a different dashboard passing as parameter the timestamp of the clicked events

Correct?

If this is your request, you have to insert in the main dashboard, in your panel's source this section:

<drilldown>
   <link target="_blank">/app/my_app/new_dashboard?_time=$click.value2$</link>
</drilldown>

Then in the secondary dashboard, you have to insert the token.

Bye.
Giuseppe

0 Karma

sachinbansal
New Member

Hi Giuseppe,

When i click on table row it then in drilldown it should show me that event in full.

Regards,
Sachin

0 Karma

richgalloway
SplunkTrust
SplunkTrust

More information would be helpful, but it could be as simple as passing $row._time$ to your drilldown search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sachinbansal
New Member

i tried "where _time=$clicked.value$(where i click on timestamp)" in drilldwon search but it is not working.

0 Karma

sachinbansal
New Member

@richgalloway - how do i pass that ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The correct term is $click.value$, but that assumes the user clicked on a cell with a time in it. That's why is suggested `$row._time$. See https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/DrilldownIntro for more.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...