Dashboards & Visualizations

Dashboard timechart time tokens not working

MarcusAtMARS
Explorer

I have a dashboard that has a timechart displaying a count of values occurring every hour. My query is:

index=app host=... sourcetype="..." siteType=...
| timechart span=1h count(eval(status!=200)) as Fails
| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time
| table Time, Fails

This works perfectly, but I want to add a drilldown on my table so the user can click on a row and see all the values for that hour. The closest thing I have been able to come up with is this query:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=$earliest$ latest<$latest$))

But if I click on a row, it gives me a search that looks like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1633096800 latest<1633702712))

And I have an error in the search, "Invalid earliest_time."

What is going on here? Is there a conversion I need to do on the earliest and latest tokens to get the correct time? 

Labels (5)
0 Karma
1 Solution

somesoni2
Revered Legend

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>

View solution in original post

0 Karma

somesoni2
Revered Legend

Try method from this (change $row._time$ with $row.Time$. For latest, add 3600)

https://community.splunk.com/t5/Splunk-Search/Drilldown-pass-the-earliest-and-latest-from-a-timechar...

0 Karma

MarcusAtMARS
Explorer

Thanks for the response! I edited my XML to be the following:

<drilldown>
    <eval token="drilldown.earliest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S")</eval>
    <eval token="drilldown.latest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S") + 3600</eval>
    <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20((earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$))&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>
</drilldown>

Put clicking a row to drill down still gives my a query looking like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1620658800 latest<=1620662400))

And the error:

Invalid earliest_time
0 Karma

MarcusAtMARS
Explorer

Help!

0 Karma

somesoni2
Revered Legend

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
0 Karma

MarcusAtMARS
Explorer

Looks like the 2nd query worked, but I hade to make sure the Time variable in my initial query was "%m-%d-%Y %H:%M:%S". Thanks for your help, @somesoni2 !

0 Karma

MarcusAtMARS
Explorer

If I have the first block set, and then attempt to drilldown, the result is an error:

Invalid earliest_time.

For the 2nd link block, I get this error:

index=app host=... sourcetype="..." status!=200 (earliest=NaN latest<=NaN)
Invalid value "NaN" for time term 'earliest'
The search job has failed due to an error. You may be able view the job in the Job Inspector.

And just to confirm, my drilldown bock looks like this:

        <drilldown>
          <eval token="drilldown.earliest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S")</eval>
          <eval token="drilldown.latest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S") + 3600</eval>
          <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%22...%22%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
        </drilldown>
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...