Dashboards & Visualizations

How can I modify earliest time and latest time before passing these tokens set on click from chart to another?

sduddilla
Path Finder

Hello,
Here is the the description of process and what I am looking for. User is aware of zooming in chart, but wants a second chart in drill down with click.
1) This is the first time chart search
index=xxxx sourcetype=aaaa earliest=-7d latest=now | fields TA, TM| timechart span=15m max(TM), avg(TA)

2) From this chart when user clicks a point I want to add and subtract some time to use for next chart.

token="selected_time">$click.value$

3) Here is the second time chart search
index=xxxx sourcetype=aaaa earliest="$calculated_earliest_time$" latest=$calculated_latest_time$" | fields TA, TM| timechart span=1sec max(TM), avg(TA)

    Example of calculated_earliest_time and calculated_latest_time in the above query
          calculated_earliest_time = selected_time - 30 minutes
          calculated_latest_time = selected_time + 30 minutes.

    Although I can add eval functions to restrict the time frame by using pipe I do not want the second search redeing events that 
    are  outside the the sepcified time range.
    I want to use calculated time fields in beginning of the second time chart search.
1 Solution

ramdaspr
Contributor

I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query

The subsearch would be something like

[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)

View solution in original post

sduddilla
Path Finder

Hello ramadaspr,
It is resolved now. I could call use the search above (including sub search) in the dashboard.
Thank You for your help.

0 Karma

sduddilla
Path Finder

ramadaspr,
You are correct, your your intial search example works. What I did not realize was there was an issue with splunk forwarder and it did not forward the data to splunk for the period I was looking for. It is now resolved.
Now I am trying to use it in my dashboard xml. When I click on time point on the graph it still awaits on "search on waiting for input"
Still researching what is the issue. I could be something do to with the "$" sign used in tokens in the search.

    [ search index=xxxx |head 1|eval earliest=$selected_time$-300|eval latest=$selected_time$+300
    | table earliest latest|format "(" "(" "" ")" "OR" ")"\] index=xxxxsourcetype=aaaa Monitor
    | fields Throughput_Avg, Throughput_Max| timechart span=1sec max(Throughput_Max), avg(Throughput_Avg)
0 Karma

ramdaspr
Contributor

The subsearch i provided shouldnt be causing that issue and it only outputs a string which is used by the following query. Does your query provide any results when you fire it without the subsearch?

Another query you can try is.

[|gentimes start=-1| eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"]  your query here

You can also try Raghav's approach mentioned @ http://answers.splunk.com/answers/215176/subtracting-30-minutes-from-passed-drilldown-param.html

sduddilla
Path Finder

Thomra and Ramdaspr,
Thank you for your ressponse.
Seemed Ramdaspr answers response seem to be closer to the issue to the resolution I am looking for.
Ramdaspr,
I have tried your suggestion and it does not return any data. If I remove sourcetype from the query it returns data within the desired time frame desired (- 30 minutes to +30 minutes), which is not the data I am looking for since this index has muliple sourcetypes. I tried both ways below with source type and did no get any data. Is there some other way the search need to be rewritten to produce the desired result

a) [search index=xxxx |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa
2) [search index=xxxx|head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest,sourcetype | format "(" "(" "" ")" "OR" ")"] index=xxxx

0 Karma

ramdaspr
Contributor

I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query

The subsearch would be something like

[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)

View solution in original post

peter_holmes_an
Path Finder

I'm adding this in case any one else finds this as I did. If you want to use this to modify the time range of a chart in a dashboard with a shared time picker then you have to deal with $time.latest$ will spit out "now" if the latest time is now, or epoch time if it's not. to get round this you can add something like this

eval earliest=if("$time.latest$" == "now","-2m",$time.latest$-120)

so I was wanting to limit this particular chart to the latest 2mins of the selected time range.

0 Karma

thomrs
Communicator

Tokens may work for you. You can pass the timeframe the user clicks and perform your search. You can add:

 row depends="$token$"

To prevent the row from showing until the token is present, i.e. user clicks.

While this will not do the add/subtract time you get close. I have a similar situation where I want to expand the tie defined by the token, only way I see to do that is with a little JS. This is on my todo list to finalize a current project.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/tokens

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.