Dashboards & Visualizations

How to pass dates from table drilldown into earliest in new dashboard?

ipicbc
Explorer

In dashboard A, I have a table, and the drilldown passes 2 variables like this :`

<drilldown target="blank">
<link>came_log_viewer_drilldown?form.inhost=$row.host$&amp;form.intime=$row._time$</link>
</drilldown>

In the receiving dashboard (came_log_viewer_drilldown) the query for the resulting table looks like this :

<query>index=camlog host=$form.inhost$ log_level=* | table log_timestamp host log_level log_thread log_msg | sort log_timestamp</query>
<earliest>$form.intime$</earliest>

This works fine with both tokens getting passed over correctly. HOWEVER, I need to subtract 60 seconds from the earliest time on the 2nd dashboard table. I think that I want to run an eval which says something like $form.intime$-60s. I don't see a way of running an eval unless I put the earliest inside the body of the query - when I do that it fails, and I cannot find any way to make it work.

Thanks for any advice!

0 Karma

niketn
Legend

@ipicbc please try adding the following in your drilldown to populate adjusted
Option 1 - Use eval option to calculate clicked time -30 seconds.

<drilldown target="blank">
   <eval token="adjustedEarliestTime">relative_time($click.value$,"30s")</eval>
   <link>came_log_viewer_drilldown?form.inhost=$row.host$&amp;form.intime=$adjustedEarliestTime$</link>
</drilldown>

Refer to Splunk Documentation for tokens available in Dynamic Drilldown, which mentions that _time if present will be $click.value$ : http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_dynamic_drilldow...

Option 2
Calculate AdjustedEarliestTime in your Splunk search

| eval AdjustedEarliestTime=relative_time(_time,"-30s")

Using fields option for table display only the required fields and make AdjustedEarliestTime as hidden.

<fields>_time, YourField1, YourField2</fields>

When you perform drilldown you can search for $row.AdjustedEarliestTime$ to pass on the value to external link.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

lguinn2
Legend

First have you tried this in your target form?

 <earliest>$form.intime$-60s</earliest>

I believe the above may work and solve the problem. But if it doesn't work, I would try using this in the target form:

<form>
  <label>Example</label>
  <init>
    <eval token="newTime">relative_time($intime$,-60s)</set>
  </init>

Then, in the later in the dashboard, use $newTime$ instead of $form.intime$

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...