I have a dashboard that has a timechart displaying a count of values occurring every hour. My query is:
index=app host=... sourcetype="..." siteType=...
| timechart span=1h count(eval(status!=200)) as Fails
| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time
| table Time, Fails
This works perfectly, but I want to add a drilldown on my table so the user can click on a row and see all the values for that hour. The closest thing I have been able to come up with is this query:
index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=$earliest$ latest<$latest$))
But if I click on a row, it gives me a search that looks like this:
index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1633096800 latest<1633702712))
And I have an error in the search, "Invalid earliest_time."
What is going on here? Is there a conversion I need to do on the earliest and latest tokens to get the correct time?
Can you try with following drilldown <link> block?
<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&earliest=$$drilldown.earliest$$&latest=$$drilldown.latest$$</link>
OR
<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
Try method from this (change $row._time$ with $row.Time$. For latest, add 3600)
Thanks for the response! I edited my XML to be the following:
<drilldown>
<eval token="drilldown.earliest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S")</eval>
<eval token="drilldown.latest">strptime($row.Time$,"%Y-%m-%d %H:%M:%S") + 3600</eval>
<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20((earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$))&earliest=$$drilldown.earliest$$&latest=$$drilldown.latest$$</link>
</drilldown>
Put clicking a row to drill down still gives my a query looking like this:
index=app host=... sourcetype="..." siteType=... status!=200 ((earliest=1620658800 latest<=1620662400))
And the error:
Invalid earliest_time
Help!
Can you try with following drilldown <link> block?
<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20&earliest=$$drilldown.earliest$$&latest=$$drilldown.latest$$</link>
OR
<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%...%22%20siteType%...%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
Looks like the 2nd query worked, but I hade to make sure the Time variable in my initial query was "%m-%d-%Y %H:%M:%S". Thanks for your help, @somesoni2 !
If I have the first block set, and then attempt to drilldown, the result is an error:
Invalid earliest_time.
For the 2nd link block, I get this error:
index=app host=... sourcetype="..." status!=200 (earliest=NaN latest<=NaN)
Invalid value "NaN" for time term 'earliest'
The search job has failed due to an error. You may be able view the job in the Job Inspector.
And just to confirm, my drilldown bock looks like this:
<drilldown>
<eval token="drilldown.earliest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S")</eval>
<eval token="drilldown.latest">strptime($row.Time$,"%m-%d-%Y %H:%M:%S") + 3600</eval>
<link target="_blank">search?q=index%3Dapp%20host%3D...%20sourcetype%3D%22...%22%20status!%3D200%20(earliest%3D$drilldown.earliest$%20latest%3C%3D$drilldown.latest$)</link>
</drilldown>