Dashboards & Visualizations

How to modify the timerange token in drilldown?

Hoekb03
Explorer

Hi,

I have this timechart. I want to drill down to another search with a timerange starting 10 minutes before the moment in the timechart (which I can pass to the drilldown search as token using "$click.value$) and ending 5 minutes later.

I tried to calculate the time in the search string of the drilldown as "earliest=timestamp-600, that does not work.

Here is the table for the timechart. When clicking on the first element I want the drilldown from 14:20 until 14:35

2016-12-21 14:30:00     493.293571  800     567
2016-12-21 14:45:00     472.051973  800     560
2016-12-21 15:00:00     512.801327  800     552
2016-12-21 15:15:00     430.072523  800     537
2016-12-21 15:30:00     380.293680  800     523
2016-12-21 15:45:00     304.686207  800     510
2016-12-21 16:00:00     260.215492  800     492
2016-12-21 16:15:00     239.603977  800     468

The drilldown in the chart:

<drilldown target="blank">
        <link>workload_drilldown?timestamp=$click.value$</link>
</drilldown>      

Timestamp is passed to the drilldown:

workload_drilldown?timestamp=1482412500.000

In the target I can use the token like this:

latest=$timestamp$

What I would like is something like this

earliest=$timestamp$-600 latest=$timestamp$+300

Any ideas?

0 Karma
1 Solution

sundareshr
Legend

See if something like this works

<drilldown target="blank">
  <eval token="e">$click.value$-600</eval>
  <eval token="l">$click.value$-300</eval>
  <link>workload_drilldown?earliest=$e$&latest=$l$</link>
</drilldown>

View solution in original post

niketn
Legend

You would need to use eval tags for your calculations using relative_time SPL function.

Either on current dashboard or your link workload_drilldown you would need to have time tokens earliest and latest (these are default fields if you have not created your own explicit time token). I have created a sample for for one of the scenarios so that you can use the eval tokens as per your needs.

    <drilldown>
      <eval token="EarliestTime">relative_time($click.value$,"-10m")</eval>
      <eval token="LatestTime">relative_time($click.value$,"+5m")</eval>
      <link>
            workload_drilldown?earliest=$EarliestTime$&latest=$LatestTime$
      </link>
    </drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Hoekb03
Explorer

Both answers are basically the same. The good news: it works! Thanks!

0 Karma

sundareshr
Legend

See if something like this works

<drilldown target="blank">
  <eval token="e">$click.value$-600</eval>
  <eval token="l">$click.value$-300</eval>
  <link>workload_drilldown?earliest=$e$&latest=$l$</link>
</drilldown>

Hoekb03
Explorer

Had to use CDATA around the link to get the XML right but it works fine. Thanx!

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...