Solved: +/- 30 minutes from timestamp of table on a dashbo...

treverce · ‎08-19-2020

I have a dashboard that generates a table that I would like to add the ability to jump into search from the table on the dashboard. We have hundreds of TB of data a day in the index so id like for it to limit the timeframe down to +/- 30m of the timestamp that I have. So if the timestamp of the event is 8:21pm I want to make the search be something like

```

index=index field=field earliest=(timestamp-30m) latest=(timestamp+30m)

```

How could I achieve this via the dashboard XML?

Thanks!

richgalloway · ‎08-20-2020

You can use eval to set tokens like this.

<drilldown>
  <eval token="st">$row._time$-1800</eval>
  <eval token="et">$row._time$+1800</eval>
</drilldown>

Then pass $st$ and $et$ to the drilldown dashboard.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-20-2020

You can use eval to set tokens like this.

<drilldown>
  <eval token="st">$row._time$-1800</eval>
  <eval token="et">$row._time$+1800</eval>
</drilldown>

Then pass $st$ and $et$ to the drilldown dashboard.

---
If this reply helps you, Karma would be appreciated.

+/- 30 minutes from timestamp of table on a dashboard

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!