Solved: Dynamic drilldown: Pass the timechart command's ti...

bruceclarke · ‎11-25-2014

All,

I have a search that populates monthly browser usage across all browsers. base search | timechart span=1mon count as browserCount by Browser usenull=f We want to display this search in a table so that we can display the actual number. We then want to drilldown into a separate dashboard after we click a value in the row.

From what I understand from this documentation, we should just be able to set the time picker in the dashboard drilled into by using $earliest$ and $latest$ . So, I would assume this would look something like:

<drilldown target="Drilldown into usage by Browser">
  <link>
    <![CDATA[
      /app/MyApp/browser_usage_drilldown?form.groupId=*&form.browserId=*&form.timePicker.earliest=$earliest$&form.timePicker.latest=$latest$
    ]]>
  </link>
</drilldown>

Instead of using the row's time, however, the drilldown chooses to use the global time of the dashboard. If I switch to a line chart visualization, then this drilldown works as expected. It uses the row's time.

Is there a way that we can keep the table view, but still have the $earliest$ and $latest$ work as if it were a line chart? It seems weird to me that changing the visualization would affect the time fields, since the documentation seems to suggest otherwise.

EDIT - Here's the XML. Again, if I change this to a line chart, it works as I'd expect it to. Basically I want it to pass through the month that I clicked on.

    <panel>
      <table>
        <title>Count by Browser</title>
        <search>
          <query>base search | timechart span=1mon count as browserCount by Browser usenull=f</query>
          <earliest>-6mon@mon</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <drilldown target="Drilldown into usage by Browser">
          <link>
            <![CDATA[
              /app/ProductMgmt/browser_usage_drilldown?form.groupId=*&form.browserId=*&form.monthVar.earliest=$earliest$&form.monthVar.latest=$latest$
            ]]>
          </link>
        </drilldown>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>

martin_mueller · ‎11-25-2014

Hmm... that should indeed work that way, but apparently doesn't... same over here. Consider filing a case with support to check if that's actually a bug.

In the meantime, let's cheat our way towards a working drilldown:

in your search, append this after the timechart: ... | eval _earliest = _time | eval _latest = _time + _span
in your drilldown, use the tokens $row._earliest$ and $row._latest$

That'll compute the range of each row invisibly and use that instead of the possibly broken default tokens.

View solution in original post

martin_mueller · ‎11-25-2014

Hmm... that should indeed work that way, but apparently doesn't... same over here. Consider filing a case with support to check if that's actually a bug.

In the meantime, let's cheat our way towards a working drilldown:

in your search, append this after the timechart: ... | eval _earliest = _time | eval _latest = _time + _span
in your drilldown, use the tokens $row._earliest$ and $row._latest$

That'll compute the range of each row invisibly and use that instead of the possibly broken default tokens.

aarzhang · ‎11-12-2015

in my search, I have append this after the timechart: ... | eval _earliest = _time | eval _latest = _time + _span

but in the drilldown I use $row._earliest$ and $row._latest$, I can not get the value

my search:
......| timechart limit=0 span=$timespan_tok$ sum(total) by EPC_Log.onErrorMsg|eval _eraliest=_time|eval _latest=_time+_span

my drilldown :
......onErrorMsg="$click.name2$" earliest=$row._time$ latest=$row._latest$

when i click the query like this:
......onErrorMsg="Script" earliest=1447167600.000 latest=$row._latest$

So you can see, I can get $row._time$ but i can not get the $row._latest$ value

Can you help me ?

bruceclarke · ‎11-25-2014

That works. I'll create a support issue first thing tomorrow morning.

martin_mueller · ‎11-25-2014

That should work - could you post the xml for the table that's not working?

bruceclarke · ‎11-25-2014

I attached the XML for the table. Let me know if you see something wrong. Thanks!

Dynamic drilldown: Pass the timechart command's time field as an argument

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!