Splunk Enterprise Security

Eval for passing String format Time value to Number format to drill down panel trough tokens $row.time$

potnuru
Path Finder

While using the drill-down from dashboard panel1 to panel2, I want to pass the Time from panel1 to panel1 when a user clicked on the selected row in panel.

I am displaying time in String format in panel1 and I want to pass time in the number format to panel2. For that I am using eval function in tokens.
eval time_number=strptime(time_number,"%Y%m%d %H:%M:%S").

But I am not getting the same time value to panel2 from panel while using the above eval. If I am passing the time in number directly from panel1 to panel2, I am able to see the same value to reflecting in the panel2. I don't want to show the time in number format in panel1.

Please let me know how it can be handled.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@potnuru

You can use different columns for both purposes.
Please check below XML for same. Here, _time_number is used for time in number and time_number is for time in readable format.

<dashboard>
  <label>Panel to Panel</label>
  <row>
    <panel>
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults count=3 | eval Data=1 | accum Data | eval time_number=strftime(_time+Data,"%Y%m%d %H:%M:%S") 
| rename comment as "Upto this is for data generation only" 
| eval _time_number=strptime(time_number,"%Y%m%d %H:%M:%S") </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="clicked_value">$row._time_number$</set>
        </drilldown>
        <fields>Data</fields>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults | eval clicked_value="$clicked_value$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma

niketn
Legend

@potnuru if your intent is to display human readable string time in the table however, drilldown using the epoch time, then there are four options you can use including the one suggested by @kamlesh_vaghela which is available as an example in the Splunk Dashboard Examples app on Splunkbase.
If you would notice all four tables in the screenshot below show time as string time in the table however, the drilldown token in the table title is epoch.

alt text

Option 1: if _time is the first field in table then use $click.value$ table drilldown token to access epoch time.
Option 2: the table <drilldown> event handler can have <eval> section to convert string time in the table and set token as epoch time.
Option 3: Create a separate field for epoch timestamp apart from string time stamp field for displaying in the table. Make the epoch timestamp field hidden by prefixing the field name with underscore character. In the example it is _hiddenTimeEpochForDrilldown.
Option 4: hidden field through <fields> <table> Simple XML configuration option. If out of 3 fields in the table only 2 are listed in the fields section then, third field is still available for drilldown but not displayed in the table. In the following example it is <fields>["time_number","data"]</fields>. (Kamlesh also has posted same example.)

Following is a run anywhere dashboard with examples of all four approaches:

<dashboard>
  <label>Table with Time Drilldown</label>
  <row>
    <panel>
      <title>Option 1 - if _time is the first field in table then use click.value table drilldown token to access epoch time</title>
      <table>
        <title>Clicked row Time Epoch: $tokTimeNumberOption1$</title>
        <search>
          <query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| table _time data</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="tokTimeNumberOption1">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel>
      <title>Option 2 - drilldown eval to set token as epoch</title>
      <table>
        <title>Clicked row Time Epoch: $tokTimeNumberOption2$</title>
        <search>
          <query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| rename _time as time_number
| table time_number data
| eval time_number=strftime(time_number,"%Y/%m/%d %H:%M:%S")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <eval token="tokTimeNumberOption2">strptime($row.time_number$,"%Y/%m/%d %H:%M:%S")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 3 - keep epoch time field hidden by prefixing fieldname with underscore and use for drilldown</title>
      <table>
        <title>Clicked row Time Epoch: $tokTimeNumberOption3$</title>
        <search>
          <query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| rename _time as time_number
| table time_number data
| eval _hiddenTimeEpochForDrilldown=time_number
| eval time_number=strftime(time_number,"%Y/%m/%d %H:%M:%S")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="tokTimeNumberOption3">$row._hiddenTimeEpochForDrilldown$</set>
        </drilldown>
      </table>
    </panel>
    <panel>
      <title>Option 4 - hidden field through <fields> table SimpleXML configuration option</title>
      <table>
        <title>Clicked row Time Epoch: $tokTimeNumberOption4$</title>
        <search>
          <query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| rename _time as time_number
| table time_number data
| eval hiddenTimeEpochForDrilldown=time_number
| eval time_number=strftime(time_number,"%Y/%m/%d %H:%M:%S")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <fields>["time_number","data"]</fields>
        <drilldown>
          <set token="tokTimeNumberOption4">$row.hiddenTimeEpochForDrilldown$</set>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Please try out and confirm. Hope at least one option works out for you! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

potnuru
Path Finder

Hi @niketnilay

Thank you so much for your explanation. It not only helped me in fulfilling my requirement but also It gave me the idea on how to deal with time tokens in different ways.

I liked the Option 2 in all the options, but there is one problem with the Option 2, it is changing the actual Time(Even though the _time is same in all the Panels 1,2,3,4 the Epoch time of Panel 2 is different). Could you please check and let me know how to deal with it.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@potnuru

You can use different columns for both purposes.
Please check below XML for same. Here, _time_number is used for time in number and time_number is for time in readable format.

<dashboard>
  <label>Panel to Panel</label>
  <row>
    <panel>
      <table>
        <title>Panel 1</title>
        <search>
          <query>| makeresults count=3 | eval Data=1 | accum Data | eval time_number=strftime(_time+Data,"%Y%m%d %H:%M:%S") 
| rename comment as "Upto this is for data generation only" 
| eval _time_number=strptime(time_number,"%Y%m%d %H:%M:%S") </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="clicked_value">$row._time_number$</set>
        </drilldown>
        <fields>Data</fields>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Panel 2</title>
        <search>
          <query>| makeresults | eval clicked_value="$clicked_value$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

potnuru
Path Finder

Thank you Kamlesh for your answer, but here my requirement is not to show the time_number in the panel1.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@potnuru

You can use <fields> tag to restrict fields to be displayed in Panel 1. Please check below code in my updated answer and try.

<fields>Data</fields>

Please let me know It helps you or not

0 Karma

potnuru
Path Finder

Yes we can restrict the fields to be displayed in the Panel1 but if we are not displaying the time_number in the Panel1 how can we pass that parameter to Panel2.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@potnuru

regardless displaying time_number in table as a column, we can use $row.time_number$ to access time_number field value. You have to just make sure you search should have time_number field.

0 Karma

potnuru
Path Finder

It's not working, if I am removing the field time_number from panel1 by using | fields - time_number command. Then I am not able to access $row.time_number$ token.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Yes @potnuru, Here you can see in my example _time_number field. Create that field in your search and use in drilldown.

     <drilldown>
       <set token="clicked_value">$row._time_number$</set>
     </drilldown>
0 Karma

potnuru
Path Finder

It's working now Kamlesh. Thank you for the help.
All the time I'm thinking about the fields command in Search Query but not the tag as I'm completely unaware of it 🙂

0 Karma

potnuru
Path Finder

Is it ? I will check and let you know whether it worked. Thank You.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...