- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to append H:M:S of '0:0:0' to end of date in d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a main dashboard which passes the date of the row which is clicked to a drilldown. The drilldown is supposed to display results for the date specified by the main dashboard.
From the main dashboard I am passing the Date in the format "%m/%d/%Y" (Eg. 04/25/2018) to the drilldown as follows,
In the drilldown I am trying to use this date as the earliest time as follows,
.............
<search>
<query>sourcetype=*** index=abc earliest=$row_time$ searchtimespandays=1|
.....
</query>
</search>
But the above drilldown complains that the date specified is invalid for 'earliest'.
When I hardcode the value of earliest to "earliest=04/25/2018:0:0:0", the drilldown works fine.
So I think I need to form a time with the format "%m/%d/%Y:%H:%M:%S" before assigning it to 'earliest'.
So could you please help me out on how to append "0:0:0' to the date that is passed to the drilldown. Expecting the following,
earliest = '$row_time$' + '0:0:0'
Thanks in advance,
Swaroop
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
<query>sourcetype=*** index=abc earliest="$row_time$:00:00:00" searchtimespandays=1|..rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using $row._time$ instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for the quick response.. Appreciate it !!
I forgot to add that I wanted my search to run specifically from 12AM, as I wanted to display the drilldown data for one complete day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For best results, you need to pass that value in epoch time, not in human format.
That can be done fairly simply by returning the epoch value in a hidden column and using that as the drill down value instead.
See the second answer in this post - https://answers.splunk.com/answers/26825/drilldown-from-a-hidden-column.html for the way to do that, with a method available since Splunk 6.0+.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for the pointer. I am quiet not sure on the version of splunk that I am using, as it is a customized enterprise version.
The knowledge would sure help going forward.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
<query>sourcetype=*** index=abc earliest="$row_time$:00:00:00" searchtimespandays=1|..rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much.. This worked for me!!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
