topic Re: Is it possible to display events of multiple _time-values at once? in Splunk Search

Is it possible to display events of multiple _time-values at once?

MBehm — Mon, 25 Nov 2019 12:03:03 GMT

I am trying to build a decent drilldown option and my current state is the following.

I have a timechart with the number of occurrences of multiple messageID's
If I click on one of my bars I am able to find the three "one-hour-timespans" with the highest count of events. (this way I am trying to get the timespans with the highest possibility, of containing the reason for an anomaly.)

The search:

index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$ | timechart  COUNT  span=1h  | sort  -COUNT   | head  3

But what I'd like to do is, that the events of the three timespans are displayed, when I click on one of the bars.

Is that possible and how? I played around a lot with the map-command and some other things, but it seems I'm not able to do this on my own.

Thanks in advance.

Re: Is it possible to display events of multiple _time-values at once?

yuanliu — Tue, 26 Nov 2019 00:21:16 GMT

Maybe you can give an example of your desired resultant search? If I understand it correctly, you want some sort of search according to the messageID you click. If so, you can set up a custom search/panel using the token $click.value2$ as value of messageID.

Re: Is it possible to display events of multiple _time-values at once?

MBehm — Tue, 26 Nov 2019 06:14:07 GMT

I'm already using the token. The part "MVSMSG=ICH70001I" of my given search is the "click.value2$" value. So I got this part.

My idea was to somehow get these messages (the ones with MVSMSG=$click.value2$), which were issued in the three time spans I selected.

But I wasn't able to find out if it is even possible to display events of time spans that are not contiguous.

Re: Is it possible to display events of multiple _time-values at once?

gcusello — Tue, 26 Nov 2019 11:58:50 GMT

Hi @MBehm,
if I correctly understood your request, you should pass in drilldown the value on click and the extremes of time period.
In my dashboard the Time Picher's Token is named "Time", so in drilldown put:

<drilldown>
     <link>your_drilldown_dashboard?token=$click.value2$&TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>

Then in the drilldown dashboard you have to call the three tokens.

Remember that if you manually modify code in Splunk editor, when you have & you have to insert &

Ciao.
Giuseppe

Re: Is it possible to display events of multiple _time-values at once?

woodcock — Wed, 27 Nov 2019 20:46:49 GMT

You are overcomplicating things. You already know what your base search is that is in front of your timechart command and you already have your timepicker fields as tokens, so just hardcode your drilldown as

<drilldown>
    <link target="_blank">search?q=index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$</link>
</drilldown>

Re: Is it possible to display events of multiple _time-values at once?

MBehm — Fri, 29 Nov 2019 09:26:59 GMT

Thank you very much !
I was just not thinking about another Dashboard.
Works fine, the way you mentioned it. 🙂