How to build a form that does a drilldown to events around the selected event timestamp

yannK — Tue, 27 Sep 2016 20:02:50 GMT

1 - show a list of results
2 - click on one of them to select the timestamp
3 - populate a panel that will show the events from another search, but look at all events around the time of the selected one.

example : show me events 10 minutes before and after the selected one

Re: How to build a form that does a drilldown to events around the selected event timestamp

yannK — Tue, 27 Sep 2016 20:05:52 GMT

see this dashboard.
We use the field "epochtime" (in seconds) from the first table to use as a drilldown condition.
the second panel is populated by a search that uses a subsearch to craft a condition looking 10 minutes earliest and 10 minutes latest around the epochtime

link text

<dashboard>
  <label>time-drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal source=*splunkd.log ERROR | head 10 
            | eval epochtime=_time | table source _time epochtime _raw</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="table.sortDirection">asc</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">false</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="wrap">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <drilldown>
          <set token="epochtime">$row.epochtime$</set>
        </drilldown>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <table depends="$epochtime$">
      <title>$epochtime$</title>
      <search>
        <query>index=_internal    [  
  search                              index=_internal 
| head 1  | eval earliest=$epochtime$ - 600 | eval latest= $epochtime$ + 600 
          | table earliest latest           | format "(" "(" "" ")" "OR" ")"              ]

| table _time source</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</dashboard>

topic How to build a form that does a drilldown to events around the selected event timestamp in Getting Data In

How to build a form that does a drilldown to events around the selected event timestamp

Re: How to build a form that does a drilldown to events around the selected event timestamp