Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard timechart time tokens not working

MarcusAtMARS
Explorer
‎10-08-2021 07:42 AM

I have a dashboard that has a timechart displaying a count of values occurring every hour. My query is:

index=app host=... sourcetype="..." siteType=...
| timechart span=1h count(eval(status!=200)) as Fails
| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time
| table Time, Fails

This works perfectly, but I want to add a drilldown on my table so the user can click on a row and see all the values for that hour. The closest thing I have been able to come up with is this query:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=$earliest$ latest<$latest$))

But if I click on a row, it gives me a search that looks like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1633096800 latest<1633702712))

And I have an error in the search, "Invalid earliest_time."

What is going on here? Is there a conversion I need to do on the earliest and latest tokens to get the correct time? 

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2021 02:30 PM

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-08-2021 12:05 PM

Try method from this (change $row._time$ with $row.Time$. For latest, add 3600)

https://community.splunk.com/t5/Splunk-Search/Drilldown-pass-the-earliest-and-latest-from-a-timechar...

0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-08-2021 02:27 PM

Thanks for the response! I edited my XML to be the following:

<drilldown>
    <eval token="drilldown.earliest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S")</eval>
    <eval token="drilldown.latest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S") + 3600</eval>
    <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20((earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$))&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>
</drilldown>

Put clicking a row to drill down still gives my a query looking like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1620658800 latest<=1620662400))

And the error:

Invalid earliest_time
0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-21-2021 12:45 PM

Help!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2021 02:30 PM

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-22-2021 09:58 AM

Looks like the 2nd query worked, but I hade to make sure the Time variable in my initial query was "%m-%d-%Y %H:%M:%S". Thanks for your help, @somesoni2 !

0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-22-2021 09:55 AM

If I have the first block set, and then attempt to drilldown, the result is an error:

Invalid earliest_time.

For the 2nd link block, I get this error:

index=app host=... sourcetype="..." status!=200 (earliest=NaN latest<=NaN)
Invalid value "NaN" for time term 'earliest'
The search job has failed due to an error. You may be able view the job in the Job Inspector.

And just to confirm, my drilldown bock looks like this:

        <drilldown>
          <eval token="drilldown.earliest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S")</eval>
          <eval token="drilldown.latest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S") + 3600</eval>
          <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%22...%22%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
        </drilldown>
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...