Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you convert _time of a row to epoch in a dashboard token?

eurban
Explorer
‎05-03-2018 09:42 AM

I am looking to pass the a time range (-5m and +5m) relative to a row's _time value to another dashboard through the use of a drilldown but am having trouble getting this to work. The idea is that a user clicks on a field in a table row result, and the click opens a new tab to a separate dashboard with the time selector having a range of 5 minutes before through 5 minutes after the row's time that was clicked on.

When I try the following, it results in NaN values being passed to the new dashboard:

<drilldown>
   <condition field="field_to_click">
      <eval token="search_earliest">relative_time($row._time$, "-5m@m")</eval>
      <eval token="search_latest">relative_time($row._time$, "+5m@m")</eval>
      <link target="_blank">
         <![CDATA[other_dashboard?form.time_selector.earliest=$search_earliest$&form.time_selector.latest=$search_latest$]]>
      </link>
   </condition>
</drilldown>

I have also tried using the following to get the epoch time with the purpose of using the new token in my eval expressions with relative_time:

<eval token="row_epoch">$row._time$</eval>

This doesn't convert _time to epoch though like I would expect.

I would hate to use strptime since this is done on the client side so seems to be risky for passing in the _time value's display format (second argument). I also am trying to avoid adding any new columns to the search output.

Wondering if anyone has any suggestions?

UPDATE 2018-MAY-04:

Here is a test dashboard with search that I created so others can test this:

<dashboard>
  <label>Dashboard to test _time</label>
  <row>
    <panel>
      <title>Search for testing _time</title>
      <table>
        <search>
          <query>`my_index` sourcetype=my_source 
| head 10
| eval epoch_time_search_eval=_time
| eval "Field to click" = "Field to click"
| table _time, epoch_time_search_eval, "Field to click"</query>
          <earliest>-4h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="Field to click">
            <eval token="row_time_epoch">$row._time$</eval>
            <link target="_blank">
              <![CDATA[other_dashboard?form.time_selector.earliest=$row_time_epoch$&form.time_selector.latest=$row_time_epoch$]]>
            </link>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Note that in this case the results table from the search shows the time in epoch for values of epoch_time_search_eval. However, when I click on the "Field to click", the redirect URL has this in the path:

https://splunk-server.com/en-US/app/my_app/other_dashboard?form.time_selector.earliest=2018-05-04T09%3A06%3A51.929-05%3A00&form.time_selector.latest=2018-05-04T09%3A06%3A51.929-05%3A00

Also, in case it is relevant we are using Splunk Enterprise 7.0.3.

Reply

cmerriman
Super Champion
‎05-04-2018 08:15 AM

So two options, I think.

you could use $row.epoch_time_search_eval$ in your drilldown, if that is a field in your end result:

<drilldown>
           <condition field="Field to click">
             <eval token="row_time_epoch">$row.epoch_time_search_eval$</eval>
             <link target="_blank">
               <![CDATA[other_dashboard?form.time_selector.earliest=$row_time_epoch$&form.time_selector.latest=$row_time_epoch$]]>
             </link>
           </condition>
         </drilldown>

or you could do an eval in your drilldown to convert _time

<drilldown>
           <condition field="Field to click">
             <eval token="row_time_epoch">strptime($row._time$,"%F %T.%3N")</eval>
             <link target="_blank">
               <![CDATA[other_dashboard?form.time_selector.earliest=$row_time_epoch$&form.time_selector.latest=$row_time_epoch$]]>
             </link>
           </condition>
         </drilldown>

I think the main problem here is that _time is stored in epoch, but the dashboard is displaying it in human-readable, so while this might not be expected behavior, it's hard to know if it is a bug or not. Testing this out on 6.6.3, both options seem to work and epoch time is passed through in the link.

0 Karma
Reply

eurban
Explorer
‎05-04-2018 08:32 AM

Thanks, cmerriman. I was trying to do this without adding a new field and without using strptime but I might have to end up using one of those.

Also, for clarification when you wrote that both options work in 6.6.3, did you mean that the two options you laid out work?

0 Karma
Reply

cmerriman
Super Champion
‎05-04-2018 08:42 AM

yes, both of the options i wrote above worked in 6.6.3, but your original token with just $row._time$ gave me the same result you saw.

0 Karma
Reply

elliotproebstel
Champion
‎05-03-2018 01:10 PM

Is there any chance that the search populating that dashboard panel is changing the content/format of the _time field? I'm suspicious about it when you say "This doesn't convert _time to epoch though like I would expect." If you haven't done any calculations or evals on the _time field, it will already be in epoch and won't need converting.

0 Karma
Reply

eurban
Explorer
‎05-04-2018 07:28 AM

The only statement in my original search related to time was a convert but it was writing output to a new field so didn't look it should affect _time (| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS timestamp).

I went ahead and simplified the dashboard for testing purposes and am still getting the same behavior. I attached the dashboard source above for reference.

0 Karma
Reply

cmerriman
Super Champion
‎05-04-2018 04:44 AM

could you possibly give your entire source code so we could see what is populating the time from the panel and what format it might be in as well as possibly recreate a similar dashboard for testing this out?

0 Karma
Reply

eurban
Explorer
‎05-04-2018 07:30 AM

I added dashboard source code for testing.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...