Running Splunk 6.3.10
I'm running into an issue trying pass a custom time to a drilldown for a table. The search runs over the Last 24 Hours, and has events with a _time field. I want the tracker_drilldown form to run all of its searches based on the 30 minutes leading up to the _time field for the row I'm clicking on.
I've attempted that with the following, $click.value$ is the _time value of the row I'm clicking on:
<drilldown target="blank">
<eval token="e">tonumber($click.value$-1800)</eval>
<link>
<![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
</link>
</drilldown>
I'm trying to build a timestamp 1800 seconds before the end of the time range, but when tracker_drilldown gets pulled up, the Earliest time in the time picker is simply $e$.
Any ideas what is wrong with the eval expression that it isn't properly creating the token to use in the form?
Additional Info:
Here is a simplified representation of what the table I'm driving off of contains:
_time..............................Account_Domain....................TIME
2017-06-30 22:22:00......CORPTST.................................1498875720
Excuse my poor formatting, couldn't get the HTML I was trying to show up
... View more