topic Re: Drilldown: Use starttime of bar in timechart as `earliest` field in subsequent search in Splunk Search

Drilldown: Use starttime of bar in timechart as `earliest` field in subsequent search

viggor — Fri, 29 Sep 2017 23:12:09 GMT

After spending hours unsuccessfully searching the splunk answers for a solution I would like to phrase my question:

I have a timechart which I display in a dashboard.
When I click on a bar, I would like that a new search is triggered with the time interval matching that of the clicked bin in the timechart.

Unfortunately, using

<drilldown>
     <set token="tok_ear">$earliest$</set>
     <set token="tok_lat">$latest$</set>
</drilldown>

does not give me the timeinterval of the clicked bin, but of the whole timechart query.

On the other hand

$click.value$

does give me right start time, but in the following format

2017-09-29T01:00:00.000-04:00

which I then can't use to set my field

      <earliest></earliest>
      <latest></latest>

in the query.

I could reformat the $click.value$ string to the expected epoch format, using

strftime("2017-09-27T22:04:00.000-04:00", "%Y-%m-%dT%H:%M:%S.%3N-%:z")

but I don't know if I can run this command as a script in the dashboard xml.

Does anybody have a solution for this? I am a bit amazed that this is such a struggle, seams like a common use-case.

Re: Drilldown: Use starttime of bar in timechart as `earliest` field in subsequent search

rjthibod — Sat, 30 Sep 2017 10:21:53 GMT

First, $earliest$ should work if you are clicking on the segments (not the legend) and you are properly generating the time values for the search. You would need to share more information about the top-level search in order to troubleshoot that a little more.

Using your current drilldown approach with $click.value$ , you can wrap the strptime step in an <eval> block if you are on Splunk 6.3 or newer. You need to know the charting time span in order to get the value for latest, so that gets back to the original issue of how are you generating the data using timechart or chart. Lastly, you want strptime, not strftime.

<drilldown>
  <eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
  <eval token="tok_lat">'tok_ear' + 'row._span'</eval>
</drilldown>

Re: Drilldown: Use starttime of bar in timechart as `earliest` field in subsequent search

niketn — Tue, 29 Sep 2020 16:03:51 GMT

@viggor, If the default drilldown token for charts i.e. $earliest$ and $latest$ are defaulting to Search time range instead of clicked row value, it implies that you do not have _time field available. Please make sure your final search command is timechart or chart with _time field. Please refer to the Splunk documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#chart_2

Following is a run anywhere search based on Splunk _internal index.

<form>
  <label>Chart Drilldown default tokens earliest and latest</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| timechart span=1h count</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <set token="earliestTime">$earliest$</set>
          <set token="latestTime">$latest$</set>
          <set token="eventCount">$click.value2$</set>
          <eval token="duration">$latest$-$earliest$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          Earliest: $earliestTime$<br/>
          Latest: $latestTime$<br/>
          Duration: $duration$<br/>
          Events: $eventCount$
        </div>
      </html>
    </panel>
  </row>
</form>

PS: Please change accordingly for your usecase. If the same is not working please provide your existing Splunk search query.

Re: Drilldown: Use starttime of bar in timechart as `earliest` field in subsequent search

viggor — Mon, 02 Oct 2017 19:59:26 GMT

Hi rjthibod, thanks a lot for your comment.
I tried to use

<drilldown>
   <eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
 </drilldown>

but the tok_ear variable does not seem to be defined.