Solved: Using output of bucket command for new search

anapp · ‎10-05-2021

My biggest problem here is probably phrasing the question 🙂

I have a search in a dashboard that buckets things into a 30day time span, displayed in a barchart

e.g.

30-60 --------------------------

60-90 ------------------------------------

120-150 -----

so that's days bucketed against a count of "things"

I'd like to setup a drill down so that the panel below shows the specific "things" in the clicked bucket.

Drill down is currently set to set a token, but obviously that token is being set to something like "90-120"

how do I utilize this in a meaningful manner? i.e. form a search where Days >= lower limit of bucket AND <= higher limit of the bucket.

Any help or hints would be appreciated 🙂

anapp · ‎10-06-2021

Ok I have fudged it but would like to know a better way 🙂 (My bucketing is such that 90-120 is the shortest possible result)

<eval token="bucketmin">if(len($click.value$)=7, substr($click.value$, 1, 3),substr($click.value$, 1, 2))</eval>
<eval token="bucketmax">if(len($click.value$)=7, substr($click.value$, 5, 3),substr($click.value$, 4, 3))</eval>

I can then run a search against

days >=$bucketmin$ AND days <=$bucketmax$

View solution in original post

anapp · ‎10-06-2021

Ok I have fudged it but would like to know a better way 🙂 (My bucketing is such that 90-120 is the shortest possible result)

<eval token="bucketmin">if(len($click.value$)=7, substr($click.value$, 1, 3),substr($click.value$, 1, 2))</eval>
<eval token="bucketmax">if(len($click.value$)=7, substr($click.value$, 5, 3),substr($click.value$, 4, 3))</eval>

I can then run a search against

days >=$bucketmin$ AND days <=$bucketmax$

Using output of bucket command for new search

drilldown

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?