Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I drilldown time?

appleman
Contributor
‎03-07-2014 09:20 AM

Hello,

I want to drilldown the time I pick from timechart as well as the click value on the dashboard.
So I made the XML but it only drilldown the click value, but not time.
How can I drilldown the time as well?

Here is my XML below.

<form>

  <label>ログ検索</label>
   <description>トラブルシュート用</description>
    <fieldset autoRun="true" submitButton="false">
       <input type="text" token="number"/>
       <input type="time" searchWhenChanged="true">
        <default>Today</default>
       </input>
     </fieldset>
  <row>
     <table>
      <title>オペレーション</title>
       <searchString>source=operation $number$ | table _time unitid number sequence opid command status</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <drilldown target="_blank">
        <link>
        <![CDATA[/app/search/mdm_log_search1?form.incomingToken=$row.command$&earliest=$earliest$&latest=$latest$]]>
        </link>
        </drilldown>
        <option name="drilldown">cell</option>
        <option name="count">30</option>
     </table>
  </row>
</form>

Thank you.

0 Karma
Reply

gauldridge
Path Finder
‎03-10-2014 10:06 PM

The drilldown in this XML is sending the earliest and latest times based on the time range chosen by the user through the time picker. If that is the time range you are trying to send to your drilldown, you should first change the default section of the time picker to:

<default>
  <earliest>@d</earliest>
  <latest>now</latest>
</default>

Otherwise it will default to "All Time" because the syntax above is incorrect (for Splunk 6 at least). Also, is this the full XML of the view? You mention a timechart but there isn't one in this XML.

-----UPDATE STARTS HERE-----

Since you are already sending other tokens to a drilldown form search, you can send the _time value as well. Just change your drilldown link to this:

<![CDATA[/app/search/mdm_log_search1?form.incomingToken=$row.command$&form.timestamp=$row._time$&earliest=$earliest$&latest=$latest$]]>

I added the &form.timestamp=$row._time$ section to your link. On the drilldown target, you will have <input type="text" token="timestamp" /> to receive the second incoming token. Here's a quick working example of a Main Form Search and the Drilldown Form Search showing how to send the exact time stamp to a drilldown form search:

  <form>
  <label>Main Form Search XML</label>
  <description/>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default>
        <earliestTime>@d</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <table>
      <searchString>index=_internal | table _time,clientip</searchString>
      <earliestTime>-4h@m</earliestTime>
      <latestTime>now</latestTime>
      <drilldown target="_blank">
        <link>
          <![CDATA[/app/search/drilldown_landing?form.timestamp=$row._time$]]>
        </link>
      </drilldown>
    </table>
  </row>
</form>



<form>
  <label>Drilldown Form Search Landing</label>
  <description/>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <default/>
    </input>
    <input type="text" token="timestamp"/>
  </fieldset>
  <row>
    <event>
      <searchString>index=_internal _time=[| gentimes start=-1 | eval x=strptime("$timestamp$","%FT%H:%M:%S.%3N%z") | fields x | rename x AS search]</searchString>
      <earliestTime>0</earliestTime>
      <latestTime>now</latestTime>
    </event>
  </row>
</form>

Just make sure you use the proper time format string in strptime() in the drilldown form search. Otherwise, you'll get no results. Also, keep in mind that sending an exact time stamp like this will only get you events with that exact time stamp.

Reply

gauldridge
Path Finder
‎03-11-2014 07:45 PM

@appleman, please see my updated answer above.

0 Karma
Reply

appleman
Contributor
‎03-10-2014 10:44 PM

Thank you. And yes, it's my full sample XML and I'm sorry, there was no timechart. I meant _time in the table.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...