- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to modify the timerange token in drilldown...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have this timechart. I want to drill down to another search with a timerange starting 10 minutes before the moment in the timechart (which I can pass to the drilldown search as token using "$click.value$) and ending 5 minutes later.
I tried to calculate the time in the search string of the drilldown as "earliest=timestamp-600, that does not work.
Here is the table for the timechart. When clicking on the first element I want the drilldown from 14:20 until 14:35
2016-12-21 14:30:00 493.293571 800 567
2016-12-21 14:45:00 472.051973 800 560
2016-12-21 15:00:00 512.801327 800 552
2016-12-21 15:15:00 430.072523 800 537
2016-12-21 15:30:00 380.293680 800 523
2016-12-21 15:45:00 304.686207 800 510
2016-12-21 16:00:00 260.215492 800 492
2016-12-21 16:15:00 239.603977 800 468
The drilldown in the chart:
<drilldown target="blank">
<link>workload_drilldown?timestamp=$click.value$</link>
</drilldown>
Timestamp is passed to the drilldown:
workload_drilldown?timestamp=1482412500.000
In the target I can use the token like this:
latest=$timestamp$
What I would like is something like this
earliest=$timestamp$-600 latest=$timestamp$+300
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if something like this works
<drilldown target="blank">
<eval token="e">$click.value$-600</eval>
<eval token="l">$click.value$-300</eval>
<link>workload_drilldown?earliest=$e$&latest=$l$</link>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to use eval tags for your calculations using relative_time SPL function.
Either on current dashboard or your link workload_drilldown you would need to have time tokens earliest and latest (these are default fields if you have not created your own explicit time token). I have created a sample for for one of the scenarios so that you can use the eval tokens as per your needs.
<drilldown>
<eval token="EarliestTime">relative_time($click.value$,"-10m")</eval>
<eval token="LatestTime">relative_time($click.value$,"+5m")</eval>
<link>
workload_drilldown?earliest=$EarliestTime$&latest=$LatestTime$
</link>
</drilldown>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both answers are basically the same. The good news: it works! Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if something like this works
<drilldown target="blank">
<eval token="e">$click.value$-600</eval>
<eval token="l">$click.value$-300</eval>
<link>workload_drilldown?earliest=$e$&latest=$l$</link>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Had to use CDATA around the link to get the XML right but it works fine. Thanx!
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Buttercup Games: Further Dashboarding Techniques (Part 5)
