Dashboards & Visualizations

How can I modify earliest time and latest time before passing these tokens set on click from chart to another?

sduddilla
Path Finder

Hello,
Here is the the description of process and what I am looking for. User is aware of zooming in chart, but wants a second chart in drill down with click.
1) This is the first time chart search
index=xxxx sourcetype=aaaa earliest=-7d latest=now | fields TA, TM| timechart span=15m max(TM), avg(TA)

2) From this chart when user clicks a point I want to add and subtract some time to use for next chart.

token="selected_time">$click.value$

3) Here is the second time chart search
index=xxxx sourcetype=aaaa earliest="$calculated_earliest_time$" latest=$calculated_latest_time$" | fields TA, TM| timechart span=1sec max(TM), avg(TA)

    Example of calculated_earliest_time and calculated_latest_time in the above query
          calculated_earliest_time = selected_time - 30 minutes
          calculated_latest_time = selected_time + 30 minutes.

    Although I can add eval functions to restrict the time frame by using pipe I do not want the second search redeing events that 
    are  outside the the sepcified time range.
    I want to use calculated time fields in beginning of the second time chart search.
1 Solution

ramdaspr
Contributor

I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query

The subsearch would be something like

[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)

View solution in original post

sduddilla
Path Finder

Hello ramadaspr,
It is resolved now. I could call use the search above (including sub search) in the dashboard.
Thank You for your help.

0 Karma

sduddilla
Path Finder

ramadaspr,
You are correct, your your intial search example works. What I did not realize was there was an issue with splunk forwarder and it did not forward the data to splunk for the period I was looking for. It is now resolved.
Now I am trying to use it in my dashboard xml. When I click on time point on the graph it still awaits on "search on waiting for input"
Still researching what is the issue. I could be something do to with the "$" sign used in tokens in the search.

    [ search index=xxxx |head 1|eval earliest=$selected_time$-300|eval latest=$selected_time$+300
    | table earliest latest|format "(" "(" "" ")" "OR" ")"\] index=xxxxsourcetype=aaaa Monitor
    | fields Throughput_Avg, Throughput_Max| timechart span=1sec max(Throughput_Max), avg(Throughput_Avg)
0 Karma

ramdaspr
Contributor

The subsearch i provided shouldnt be causing that issue and it only outputs a string which is used by the following query. Does your query provide any results when you fire it without the subsearch?

Another query you can try is.

[|gentimes start=-1| eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"]  your query here

You can also try Raghav's approach mentioned @ http://answers.splunk.com/answers/215176/subtracting-30-minutes-from-passed-drilldown-param.html

sduddilla
Path Finder

Thomra and Ramdaspr,
Thank you for your ressponse.
Seemed Ramdaspr answers response seem to be closer to the issue to the resolution I am looking for.
Ramdaspr,
I have tried your suggestion and it does not return any data. If I remove sourcetype from the query it returns data within the desired time frame desired (- 30 minutes to +30 minutes), which is not the data I am looking for since this index has muliple sourcetypes. I tried both ways below with source type and did no get any data. Is there some other way the search need to be rewritten to produce the desired result

a) [search index=xxxx |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa
2) [search index=xxxx|head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest,sourcetype | format "(" "(" "" ")" "OR" ")"] index=xxxx

0 Karma

ramdaspr
Contributor

I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query

The subsearch would be something like

[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)

peter_holmes_an
Path Finder

I'm adding this in case any one else finds this as I did. If you want to use this to modify the time range of a chart in a dashboard with a shared time picker then you have to deal with $time.latest$ will spit out "now" if the latest time is now, or epoch time if it's not. to get round this you can add something like this

eval earliest=if("$time.latest$" == "now","-2m",$time.latest$-120)

so I was wanting to limit this particular chart to the latest 2mins of the selected time range.

0 Karma

thomrs
Communicator

Tokens may work for you. You can pass the timeframe the user clicks and perform your search. You can add:

 row depends="$token$"

To prevent the row from showing until the token is present, i.e. user clicks.

While this will not do the add/subtract time you get close. I have a similar situation where I want to expand the tie defined by the token, only way I see to do that is with a little JS. This is on my todo list to finalize a current project.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/tokens

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...