- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am changing the Simple XML for a drilldown to go to another panel on my dashboard.
Currently there is a linegraph and you can click on any point to see more information about it, but I want to bring the dates with it. I can easily set the earliest date to the date that is on the chart, but obviously if I also set the latest date as the same date on the chart, nothing will show up, because Splunk includes the time in the date as well.
So the drilldown XML code looks like this
<drilldown>
<link>
<![CDATA[ request_stats?form.sourcetype=$click.name2$&early=$click.value$&form.team=$team$&form.app=$app$ ]]>
</link>
</drilldown>
And the search I'm running takes in the time like this:
"Name" = "$form.sourcetype$" earliest=$early$ [search "AppName" = "Master" "Status" = "500" | fields + ContextId]
And I want to enter the latest time as something like latest=earliest+1d
With the idea in mind that if earliest is set to July 18th 2014 at midnight, then latest would be set to July 19th 2014 at midnight
Or if I could set it in the URL for the drilldown, I just don't know how to do either. Feel free to ask a question for clarification on what I said above
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
Try this
Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
Try this
Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfectly! Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
That $t
may throw off the dashboard, you'll need to escape it with another dollar sign.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
You could do this:
Name="$form.sourcetype$" earliest=$early$ latest=`relative_time($early$, "+d")` [search AppName="Master" Status=500 | fields ContextId]
That's an eval-based macro (Settings -> Advanced Search -> Macros) you need to define as relative_time(2)
with two parameters time,relative
and this body:
relative_time($time$, "$relative$")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
You should take a look at getting the macro to work - it'll be miles faster than launching an entire subsearch just to do a tiny calculation.
You know the search for AppName="Master"
isn't affected by the outer earliest
and latest
, right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Check the relevant part of your macros.conf if it looks like this:
[relative_time(2)]
args = time,relative
definition = relative_time($time$, "$relative$")
iseval = 1
Also make sure you have the appropriate backticks around the macro call:
... latest=`relative_time($early$, "+d")` ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm getting an invalid value "relative_time" for time term 'latest'
I put relative_time(2) as the name
I put time,relative as arguments (it wouldn't let me use $ signs)
I put relative_time($time$, "$relative$") in the definition
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""