All Apps and Add-ons
Highlighted

Trying to convert a drilldown value before the redirect

Path Finder

Firstly, I'll state that I'm using the Sideview Utils 'Redirector' module for this.

I am making a time-based line chart clickable so that the redirect takes you to a list of events from the time clicked. Everything about the redirection is working as expected, except that the default format of the time I get from $click.value$ is not what I was using. I'd like to either be able to convert the click value in the Redirector parameter arg list, or set a default time format on the chart or drilldown so that the value is passed in an expected format.

Thanks for any help you can offer.

Highlighted

Re: Trying to convert a drilldown value before the redirect

SplunkTrust
SplunkTrust

Well, to pass the time you shouldn't use $click.value$ time is a little special cased in the tables and charts, and to make a long story short the $click.value$ as well as the $click.fields._time$ value will always be the locale-formatted readable time... Not very useful for drilldowns.

Anyway, if the chart is showing _time on the x-axis, then use $search.timeRange.earliest$ and $search.timeRange.latest$, and put them in the arg.earliest and arg.latest params respectively.

When the user clicks on a particular bucket on the x-axis, downstream from the chart those will be the epochtime values of the clicked-upon bucket.
And when the user clicks on the Legend, they will simply be the timerange arguments of the main search. Actually in almost all Redirectors, assuming you want to pass on the timerange you should always use these params...

Anyway, here are the two params you would put into your Redirector.

<param name="arg.earliest">$search.timeRange.earliest$</param>
<param name="arg.latest">$search.timeRange.latest$</param>

For further reading you can check out the "Key techniques > Other > Overview of all the $foo$ keys", because that page goes through a top-level overview of all the $foo$ keys that are there in different contexts.

Highlighted

Re: Trying to convert a drilldown value before the redirect

Path Finder

Thanks much for the answer, The parms you're listing, however, only give the result of 'all' and not any sort of date or time.

I'm also looking more for a way to convert values, since even the raw epoch time isn't what I'm after

0 Karma
Highlighted

Re: Trying to convert a drilldown value before the redirect

SplunkTrust
SplunkTrust

Is it possible that it's an all-time search, and you're clicking on a legend item and not an element inside the graph? That would explain getting all-time on the drilldown timerange.

If you're looking to convert to other values, can you tell me exactly what format you're looking to convert it into? There are some search language tricks but more details will help me give a better answer.

0 Karma
Highlighted

Re: Trying to convert a drilldown value before the redirect

Path Finder

I know I'm clicking on the line of data itself to do the drilldown, and not on the legend.

As for the conversion, I'm just trying to do a "%Y/%m/%d %M:%H:%S+000" for an output string. The default is almost correct, but it has a 'T' in place of the space between the date and time. (and is also missing the mostly unused zone information) Previously it was all easy to do this with eval statements, but I don't see a way that I can slip eval statements into the mix here.

0 Karma
Highlighted

Re: Trying to convert a drilldown value before the redirect

Path Finder

For what it's worth, I tried to find a way to run a script in an HTML block, but that didn't work. I tried to set up a Search module that only ran eval statements on the incoming args for that page, but that also didn't seem to work right.

0 Karma
Highlighted

Re: Trying to convert a drilldown value before the redirect

SplunkTrust
SplunkTrust

Any chance you're using a much older version of Sideview Utils? The latest version is 2.2.6 available from http://sideviewapps.com/apps/sideview-utils . I'll write up a working example view showing what you're looking for, and put a pastebin link in here later today.

0 Karma
Highlighted

Re: Trying to convert a drilldown value before the redirect

Path Finder

We're using 2.2.5.

0 Karma
Highlighted

Re: Trying to convert a drilldown value before the redirect

SplunkTrust
SplunkTrust

here's an example showing how to do drilldown on a timechart, as well as how to do a custom drilldown where you custom-convert the time to a particular strftime timeformat constant. Hope this helps. http://pastebin.com/PhG0yrSF

0 Karma
Highlighted

Re: Trying to convert a drilldown value before the redirect

Path Finder

Sorry to say this, but apparently that site is blocked by my company. I don't think they block Dropbox, but is there some other method that would work?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.