topic Re: Dashboard Studio earliest/latest tokens in Splunk Search

Dashboard Studio earliest/latest tokens

Gregs1125 — Wed, 26 Jun 2024 20:58:59 GMT

I'm trying to pass 3 tokens from panel 1 into panel 2, earliest time, latest time, and a basic field value. I can get the earliest time and field value to work, but latest time always defaults to "now" no matter what I try.

Panel 1 is a stacked timechart over a three week period, each stack is one week. The values in the stack are different closure statuses from my SIEM. I want to be able to click on a closure status in a single week and see the details of just the statuses from that week in panel 2. (ex. Mon Jun 17-Sun Jun 23)

Panel 1 looks like:

index=siem sourcetype=triage | eval _time=relative_time(_time,"@w1") ```so my stacks start on monday``` | timechart span=1w@w1 count by status WHERE max in top10 useother=false | eval last=_time+604800 ```manually creating a latest time to use as token```

note: panel 1 is using a time input shared across most panels in the dashboard. (defaulting to 3 Mondays ago)

In Configuration > Interaction, I'm setting 3 tokens, status=name, earliest=row._time.value, and latest=row.last.value

Panel 2 looks like:

index=siem sourcetype=triage earliest=$earliest$ latest=$latest$ | rest of search

When I click a status in week 1 (2 weeks ago) I get statuses for weeks 1, 2, and 3. (earliest and status token is working)

When I click a status in week 2 (1 weeks ago) I get statuses for weeks 2 and 3 (earliest and status token is working)

When I click a status in week 3 (current week) I get the current week. (earliest and status token is working

Latest always defaults to now.

I've done something similar in the old dashboard, I eval'd the time modifiers while setting the token, but am much less familiar with json, not sure if this is a possibility.

What I had previously done: <eval token="earliest">$click.value$-3600</eval>

Re: Dashboard Studio earliest/latest tokens

ITWhisperer — Wed, 26 Jun 2024 20:35:59 GMT

Try using different token names e.g. earliest_time and latest_time

Re: Dashboard Studio earliest/latest tokens

Gregs1125 — Tue, 23 Jul 2024 15:26:43 GMT

Thanks for replying, and sorry for the lengthy delay. Metrics dashboards never seem to be the priority!

Changing the token names did not work, panel 2 doesn't load. I continue to get the red ! in the top right, asking for "Set token value to render visualization" specifically for $latest_time$ (or whatever name variation I try).

Re: Dashboard Studio earliest/latest tokens

yuanliu — Wed, 24 Jul 2024 05:18:13 GMT

Your requirement isn't really clear. Not to point to the obvious difference between last (set in first panel) and $latest$ (used in second panel), but are you sure you can even add an additional field in the first panel and still maintain your original timechart? (Hint: It will ruin it all; at least it will distort the chart.)

Another important question is: What is that $latest$ expected supposed to be? It seems that you want it to be the interactive token because you set it according to _time which varies by row. I already mentioned that setting a new field after timechart will ruin your chart. But in addition, Dashboard Studio has its own regiment to manage tokens. You cannot set a variable in one search and call that variable with $$ and expect it to be a passable token. This is the document about setting interactive token with search result: Setting tokens from search results or search job metadata.

Then, to add 1 week to the click value, run that result in another search. (Just like you would do in Simple XML.) Lastly, use result from that search to drive the second panel. Here is an example:

{ "visualizations": { "viz_7yE1ZwsT": { "type": "splunk.line", "dataSources": { "primary": "ds_DmIKSSCN" }, "title": "First panel", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "latest_tok", "key": "row._time.value" } ] } } ], "options": { "legendDisplay": "top" } }, "viz_OIqDnl0b": { "type": "splunk.line", "options": { "legendDisplay": "bottom" }, "dataSources": { "primary": "ds_79fdaiuf" }, "showProgressBar": false, "showLastUpdated": false } }, "dataSources": { "ds_DmIKSSCN": { "type": "ds.search", "options": { "query": "| tstats count where index=_internal by _time span=1d sourcetype\n| timechart span=1d sum(count) by sourcetype\n| eval _last = relative_time(_time, \"+1w\")" }, "name": "first panel" }, "ds_79fdaiuf": { "type": "ds.search", "options": { "query": "index=_introspection latest=$make token:result.week_after$\n| timechart span=1d count by sourcetype" }, "name": "dependent panel" }, "ds_EHm1QhZI": { "type": "ds.search", "options": { "query": "| makeresults\n| eval week_after = relative_time($latest_tok$, \"+1w\")", "enableSmartSources": true }, "name": "make token" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-3w@w,now" }, "title": "Global Time Range" } }, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_7yE1ZwsT", "type": "block", "position": { "x": 0, "y": 0, "w": 1440, "h": 400 } }, { "item": "viz_OIqDnl0b", "type": "block", "position": { "x": 0, "y": 400, "w": 1440, "h": 400 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "https://community.splunk.com/t5/Splunk-Search/Dashboard-Studio-earliest-latest-tokens/m-p/691740", "title": "Pass time token" }

In this dashboard, when you click a point on July 13 in the first panel, the second panel will end on July 20. Is this something you are looking at?