Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard timechart time tokens not working

MarcusAtMARS
Explorer
‎10-08-2021 07:42 AM

I have a dashboard that has a timechart displaying a count of values occurring every hour. My query is:

index=app host=... sourcetype="..." siteType=...
| timechart span=1h count(eval(status!=200)) as Fails
| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time
| table Time, Fails

This works perfectly, but I want to add a drilldown on my table so the user can click on a row and see all the values for that hour. The closest thing I have been able to come up with is this query:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=$earliest$ latest<$latest$))

But if I click on a row, it gives me a search that looks like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1633096800 latest<1633702712))

And I have an error in the search, "Invalid earliest_time."

What is going on here? Is there a conversion I need to do on the earliest and latest tokens to get the correct time? 

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2021 02:30 PM

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-08-2021 12:05 PM

Try method from this (change $row._time$ with $row.Time$. For latest, add 3600)

https://community.splunk.com/t5/Splunk-Search/Drilldown-pass-the-earliest-and-latest-from-a-timechar...

0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-08-2021 02:27 PM

Thanks for the response! I edited my XML to be the following:

<drilldown>
    <eval token="drilldown.earliest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S")</eval>
    <eval token="drilldown.latest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S") + 3600</eval>
    <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20((earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$))&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>
</drilldown>

Put clicking a row to drill down still gives my a query looking like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1620658800 latest<=1620662400))

And the error:

Invalid earliest_time
0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-21-2021 12:45 PM

Help!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2021 02:30 PM

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-22-2021 09:58 AM

Looks like the 2nd query worked, but I hade to make sure the Time variable in my initial query was "%m-%d-%Y %H:%M:%S". Thanks for your help, @somesoni2 !

0 Karma
Reply
Solved! Jump to solution

MarcusAtMARS
Explorer
‎10-22-2021 09:55 AM

If I have the first block set, and then attempt to drilldown, the result is an error:

Invalid earliest_time.

For the 2nd link block, I get this error:

index=app host=... sourcetype="..." status!=200 (earliest=NaN latest<=NaN)
Invalid value "NaN" for time term 'earliest'
The search job has failed due to an error. You may be able view the job in the Job Inspector.

And just to confirm, my drilldown bock looks like this:

        <drilldown>
          <eval token="drilldown.earliest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S")</eval>
          <eval token="drilldown.latest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S") + 3600</eval>
          <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%22...%22%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
        </drilldown>
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...