Dashboards & Visualizations
Highlighted

How do you convert _time of a row to epoch in a dashboard token?

Explorer

I am looking to pass the a time range (-5m and +5m) relative to a row's _time value to another dashboard through the use of a drilldown but am having trouble getting this to work. The idea is that a user clicks on a field in a table row result, and the click opens a new tab to a separate dashboard with the time selector having a range of 5 minutes before through 5 minutes after the row's time that was clicked on.

When I try the following, it results in NaN values being passed to the new dashboard:

<drilldown>
   <condition field="field_to_click">
      <eval token="search_earliest">relative_time($row._time$, "-5m@m")</eval>
      <eval token="search_latest">relative_time($row._time$, "+5m@m")</eval>
      <link target="_blank">
         <![CDATA[other_dashboard?form.time_selector.earliest=$search_earliest$&form.time_selector.latest=$search_latest$]]>
      </link>
   </condition>
</drilldown>

I have also tried using the following to get the epoch time with the purpose of using the new token in my eval expressions with relative_time:

<eval token="row_epoch">$row._time$</eval>

This doesn't convert _time to epoch though like I would expect.

I would hate to use strptime since this is done on the client side so seems to be risky for passing in the _time value's display format (second argument). I also am trying to avoid adding any new columns to the search output.

Wondering if anyone has any suggestions?


UPDATE 2018-MAY-04:

Here is a test dashboard with search that I created so others can test this:

<dashboard>
  <label>Dashboard to test _time</label>
  <row>
    <panel>
      <title>Search for testing _time</title>
      <table>
        <search>
          <query>`my_index` sourcetype=my_source 
| head 10
| eval epoch_time_search_eval=_time
| eval "Field to click" = "Field to click"
| table _time, epoch_time_search_eval, "Field to click"</query>
          <earliest>-4h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="Field to click">
            <eval token="row_time_epoch">$row._time$</eval>
            <link target="_blank">
              <![CDATA[other_dashboard?form.time_selector.earliest=$row_time_epoch$&form.time_selector.latest=$row_time_epoch$]]>
            </link>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Note that in this case the results table from the search shows the time in epoch for values of epochtimesearch_eval. However, when I click on the "Field to click", the redirect URL has this in the path:

https://splunk-server.com/en-US/app/my_app/other_dashboard?form.time_selector.earliest=2018-05-04T09...

Also, in case it is relevant we are using Splunk Enterprise 7.0.3.

Highlighted

Re: How do you convert _time of a row to epoch in a dashboard token?

Is there any chance that the search populating that dashboard panel is changing the content/format of the _time field? I'm suspicious about it when you say "This doesn't convert _time to epoch though like I would expect." If you haven't done any calculations or evals on the _time field, it will already be in epoch and won't need converting.

0 Karma
Highlighted

Re: How do you convert _time of a row to epoch in a dashboard token?

Super Champion

could you possibly give your entire source code so we could see what is populating the time from the panel and what format it might be in as well as possibly recreate a similar dashboard for testing this out?

0 Karma
Highlighted

Re: How do you convert _time of a row to epoch in a dashboard token?

Explorer

I added dashboard source code for testing.

0 Karma
Highlighted

Re: How do you convert _time of a row to epoch in a dashboard token?

Explorer

The only statement in my original search related to time was a convert but it was writing output to a new field so didn't look it should affect time (| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time) AS timestamp).

I went ahead and simplified the dashboard for testing purposes and am still getting the same behavior. I attached the dashboard source above for reference.

0 Karma
Highlighted

Re: How do you convert _time of a row to epoch in a dashboard token?

Super Champion

So two options, I think.

you could use $row.epoch_time_search_eval$ in your drilldown, if that is a field in your end result:

<drilldown>
           <condition field="Field to click">
             <eval token="row_time_epoch">$row.epoch_time_search_eval$</eval>
             <link target="_blank">
               <![CDATA[other_dashboard?form.time_selector.earliest=$row_time_epoch$&form.time_selector.latest=$row_time_epoch$]]>
             </link>
           </condition>
         </drilldown>

or you could do an eval in your drilldown to convert _time

<drilldown>
           <condition field="Field to click">
             <eval token="row_time_epoch">strptime($row._time$,"%F %T.%3N")</eval>
             <link target="_blank">
               <![CDATA[other_dashboard?form.time_selector.earliest=$row_time_epoch$&form.time_selector.latest=$row_time_epoch$]]>
             </link>
           </condition>
         </drilldown>

I think the main problem here is that _time is stored in epoch, but the dashboard is displaying it in human-readable, so while this might not be expected behavior, it's hard to know if it is a bug or not. Testing this out on 6.6.3, both options seem to work and epoch time is passed through in the link.

0 Karma
Highlighted

Re: How do you convert _time of a row to epoch in a dashboard token?

Explorer

Thanks, cmerriman. I was trying to do this without adding a new field and without using strptime but I might have to end up using one of those.

Also, for clarification when you wrote that both options work in 6.6.3, did you mean that the two options you laid out work?

0 Karma
Highlighted

Re: How do you convert _time of a row to epoch in a dashboard token?

Super Champion

yes, both of the options i wrote above worked in 6.6.3, but your original token with just $row._time$ gave me the same result you saw.

0 Karma