All Apps and Add-ons

Trying to convert a drilldown value before the redirect

dspracklen
Path Finder

Firstly, I'll state that I'm using the Sideview Utils 'Redirector' module for this.

I am making a time-based line chart clickable so that the redirect takes you to a list of events from the time clicked. Everything about the redirection is working as expected, except that the default format of the time I get from $click.value$ is not what I was using. I'd like to either be able to convert the click value in the Redirector parameter arg list, or set a default time format on the chart or drilldown so that the value is passed in an expected format.

Thanks for any help you can offer.

sideview
SplunkTrust
SplunkTrust

Well, to pass the time you shouldn't use $click.value$ time is a little special cased in the tables and charts, and to make a long story short the $click.value$ as well as the $click.fields._time$ value will always be the locale-formatted readable time... Not very useful for drilldowns.

Anyway, if the chart is showing _time on the x-axis, then use $search.timeRange.earliest$ and $search.timeRange.latest$, and put them in the arg.earliest and arg.latest params respectively.

When the user clicks on a particular bucket on the x-axis, downstream from the chart those will be the epochtime values of the clicked-upon bucket.
And when the user clicks on the Legend, they will simply be the timerange arguments of the main search. Actually in almost all Redirectors, assuming you want to pass on the timerange you should always use these params...

Anyway, here are the two params you would put into your Redirector.

<param name="arg.earliest">$search.timeRange.earliest$</param>
<param name="arg.latest">$search.timeRange.latest$</param>

For further reading you can check out the "Key techniques > Other > Overview of all the $foo$ keys", because that page goes through a top-level overview of all the $foo$ keys that are there in different contexts.

sideview
SplunkTrust
SplunkTrust

D'Oh. I can easily email it to you... Email me at nick [at] sideviewapps.com and tell me your email address (mine is plastered all over already anyway)

0 Karma

dspracklen
Path Finder

Sorry to say this, but apparently that site is blocked by my company. I don't think they block Dropbox, but is there some other method that would work?

0 Karma

sideview
SplunkTrust
SplunkTrust

here's an example showing how to do drilldown on a timechart, as well as how to do a custom drilldown where you custom-convert the time to a particular strftime timeformat constant. Hope this helps. http://pastebin.com/PhG0yrSF

0 Karma

dspracklen
Path Finder

We're using 2.2.5.

0 Karma

sideview
SplunkTrust
SplunkTrust

Any chance you're using a much older version of Sideview Utils? The latest version is 2.2.6 available from http://sideviewapps.com/apps/sideview-utils . I'll write up a working example view showing what you're looking for, and put a pastebin link in here later today.

0 Karma

dspracklen
Path Finder

For what it's worth, I tried to find a way to run a script in an HTML block, but that didn't work. I tried to set up a Search module that only ran eval statements on the incoming args for that page, but that also didn't seem to work right.

0 Karma

dspracklen
Path Finder

I know I'm clicking on the line of data itself to do the drilldown, and not on the legend.

As for the conversion, I'm just trying to do a "%Y/%m/%d %M:%H:%S+000" for an output string. The default is almost correct, but it has a 'T' in place of the space between the date and time. (and is also missing the mostly unused zone information) Previously it was all easy to do this with eval statements, but I don't see a way that I can slip eval statements into the mix here.

0 Karma

sideview
SplunkTrust
SplunkTrust

Is it possible that it's an all-time search, and you're clicking on a legend item and not an element inside the graph? That would explain getting all-time on the drilldown timerange.

If you're looking to convert to other values, can you tell me exactly what format you're looking to convert it into? There are some search language tricks but more details will help me give a better answer.

0 Karma

dspracklen
Path Finder

Thanks much for the answer, The parms you're listing, however, only give the result of 'all' and not any sort of date or time.

I'm also looking more for a way to convert values, since even the raw epoch time isn't what I'm after

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...