I am changing the Simple XML for a drilldown to go to another panel on my dashboard.
Currently there is a linegraph and you can click on any point to see more information about it, but I want to bring the dates with it. I can easily set the earliest date to the date that is on the chart, but obviously if I also set the latest date as the same date on the chart, nothing will show up, because Splunk includes the time in the date as well.
So the drilldown XML code looks like this
<drilldown> <link> <![CDATA[ request_stats?form.sourcetype=$click.name2$&early=$click.value$&form.team=$team$&form.app=$app$ ]]> </link> </drilldown>
And the search I'm running takes in the time like this:
"Name" = "$form.sourcetype$" earliest=$early$ [search "AppName" = "Master" "Status" = "500" | fields + ContextId]
And I want to enter the latest time as something like latest=earliest+1d
With the idea in mind that if earliest is set to July 18th 2014 at midnight, then latest would be set to July 19th 2014 at midnight
Or if I could set it in the URL for the drilldown, I just don't know how to do either. Feel free to ask a question for clarification on what I said above
You could do this:
Name="$form.sourcetype$" earliest=$early$ latest=`relative_time($early$, "+d")` [search AppName="Master" Status=500 | fields ContextId]
That's an eval-based macro (Settings -> Advanced Search -> Macros) you need to define as
relative_time(2) with two parameters
time,relative and this body:
I'm getting an invalid value "relative_time" for time term 'latest'
I put relativetime(2) as the name
I put time,relative as arguments (it wouldn't let me use $ signs)
I put relativetime($time$, "$relative$") in the definition
Check the relevant part of your macros.conf if it looks like this:
[relative_time(2)] args = time,relative definition = relative_time($time$, "$relative$") iseval = 1
Also make sure you have the appropriate backticks around the macro call:
... latest=`relative_time($early$, "+d")` ...
You should take a look at getting the macro to work - it'll be miles faster than launching an entire subsearch just to do a tiny calculation.
You know the search for
AppName="Master" isn't affected by the outer
Name="$form.sourcetype$" earliest=$early$ latest=[|gentimes start=-1 | eval t=relative_time($early$,"+d")| return $t][search AppName="Master" Status=500 | fields ContextId]