Solved: Is it possible to display events of multiple _time...

MBehm · ‎11-25-2019

I am trying to build a decent drilldown option and my current state is the following.

I have a timechart with the number of occurrences of multiple messageID's
If I click on one of my bars I am able to find the three "one-hour-timespans" with the highest count of events. (this way I am trying to get the timespans with the highest possibility, of containing the reason for an anomaly.)

The search:

index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$ | timechart  COUNT  span=1h  | sort  -COUNT   | head  3

But what I'd like to do is, that the events of the three timespans are displayed, when I click on one of the bars.

Is that possible and how? I played around a lot with the map-command and some other things, but it seems I'm not able to do this on my own.

Thanks in advance.

gcusello · ‎11-26-2019

Hi @MBehm,
if I correctly understood your request, you should pass in drilldown the value on click and the extremes of time period.
In my dashboard the Time Picher's Token is named "Time", so in drilldown put:

<drilldown>
     <link>your_drilldown_dashboard?token=$click.value2$&TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>

Then in the drilldown dashboard you have to call the three tokens.

Remember that if you manually modify code in Splunk editor, when you have & you have to insert &

Ciao.
Giuseppe

View solution in original post

woodcock · ‎11-27-2019

You are overcomplicating things. You already know what your base search is that is in front of your timechart command and you already have your timepicker fields as tokens, so just hardcode your drilldown as

<drilldown>
    <link target="_blank">search?q=index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$</link>
</drilldown>

gcusello · ‎11-26-2019

Hi @MBehm,
if I correctly understood your request, you should pass in drilldown the value on click and the extremes of time period.
In my dashboard the Time Picher's Token is named "Time", so in drilldown put:

<drilldown>
     <link>your_drilldown_dashboard?token=$click.value2$&TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>

Then in the drilldown dashboard you have to call the three tokens.

Remember that if you manually modify code in Splunk editor, when you have & you have to insert &

Ciao.
Giuseppe

MBehm · ‎11-29-2019

Thank you very much !
I was just not thinking about another Dashboard.
Works fine, the way you mentioned it. 🙂

yuanliu · ‎11-25-2019

Maybe you can give an example of your desired resultant search? If I understand it correctly, you want some sort of search according to the messageID you click. If so, you can set up a custom search/panel using the token $click.value2$ as value of messageID.

MBehm · ‎11-25-2019

I'm already using the token. The part "MVSMSG=ICH70001I" of my given search is the "click.value2$" value. So I got this part.

My idea was to somehow get these messages (the ones with MVSMSG=$click.value2$), which were issued in the three time spans I selected.

But I wasn't able to find out if it is even possible to display events of time spans that are not contiguous.

Is it possible to display events of multiple _time-values at once?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life