Dashboards & Visualizations

Dashboard timechart time tokens not working

MarcusAtMARS
Explorer

I have a dashboard that has a timechart displaying a count of values occurring every hour. My query is:

index=app host=... sourcetype="..." siteType=...
| timechart span=1h count(eval(status!=200)) as Fails
| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time
| table Time, Fails

This works perfectly, but I want to add a drilldown on my table so the user can click on a row and see all the values for that hour. The closest thing I have been able to come up with is this query:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=$earliest$ latest<$latest$))

But if I click on a row, it gives me a search that looks like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1633096800 latest<1633702712))

And I have an error in the search, "Invalid earliest_time."

What is going on here? Is there a conversion I need to do on the earliest and latest tokens to get the correct time? 

Labels (5)
0 Karma
1 Solution

somesoni2
Revered Legend

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>

View solution in original post

0 Karma

somesoni2
Revered Legend

Try method from this (change $row._time$ with $row.Time$. For latest, add 3600)

https://community.splunk.com/t5/Splunk-Search/Drilldown-pass-the-earliest-and-latest-from-a-timechar...

0 Karma

MarcusAtMARS
Explorer

Thanks for the response! I edited my XML to be the following:

<drilldown>
    <eval token="drilldown.earliest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S")</eval>
    <eval token="drilldown.latest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S") + 3600</eval>
    <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20((earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$))&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>
</drilldown>

Put clicking a row to drill down still gives my a query looking like this:

index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1620658800 latest<=1620662400))

And the error:

Invalid earliest_time
0 Karma

MarcusAtMARS
Explorer

Help!

0 Karma

somesoni2
Revered Legend

Can you try with following drilldown <link> block?

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&amp;earliest=$$drilldown.earliest$$&amp;latest=$$drilldown.latest$$</link>

OR

<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
0 Karma

MarcusAtMARS
Explorer

Looks like the 2nd query worked, but I hade to make sure the Time variable in my initial query was "%m-%d-%Y %H:%M:%S". Thanks for your help, @somesoni2 !

0 Karma

MarcusAtMARS
Explorer

If I have the first block set, and then attempt to drilldown, the result is an error:

Invalid earliest_time.

For the 2nd link block, I get this error:

index=app host=... sourcetype="..." status!=200 (earliest=NaN latest<=NaN)
Invalid value "NaN" for time term 'earliest'
The search job has failed due to an error. You may be able view the job in the Job Inspector.

And just to confirm, my drilldown bock looks like this:

        <drilldown>
          <eval token="drilldown.earliest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S")</eval>
          <eval token="drilldown.latest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S") + 3600</eval>
          <link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%22...%22%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
        </drilldown>
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...