- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to pass dates from table drilldown into ea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to pass dates from table drilldown into earliest in new dashboard?
In dashboard A, I have a table, and the drilldown passes 2 variables like this :`
<drilldown target="blank">
<link>came_log_viewer_drilldown?form.inhost=$row.host$&form.intime=$row._time$</link>
</drilldown>
In the receiving dashboard (came_log_viewer_drilldown) the query for the resulting table looks like this :
<query>index=camlog host=$form.inhost$ log_level=* | table log_timestamp host log_level log_thread log_msg | sort log_timestamp</query>
<earliest>$form.intime$</earliest>
This works fine with both tokens getting passed over correctly. HOWEVER, I need to subtract 60 seconds from the earliest time on the 2nd dashboard table. I think that I want to run an eval which says something like $form.intime$-60s. I don't see a way of running an eval unless I put the earliest inside the body of the query - when I do that it fails, and I cannot find any way to make it work.
Thanks for any advice!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ipicbc please try adding the following in your drilldown to populate adjusted
Option 1 - Use eval option to calculate clicked time -30 seconds.
<drilldown target="blank">
<eval token="adjustedEarliestTime">relative_time($click.value$,"30s")</eval>
<link>came_log_viewer_drilldown?form.inhost=$row.host$&form.intime=$adjustedEarliestTime$</link>
</drilldown>
Refer to Splunk Documentation for tokens available in Dynamic Drilldown, which mentions that _time if present will be $click.value$ : http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefined_tokens_for_dynamic_drilldow...
Option 2
Calculate AdjustedEarliestTime in your Splunk search
| eval AdjustedEarliestTime=relative_time(_time,"-30s")
Using fields option for table display only the required fields and make AdjustedEarliestTime as hidden.
<fields>_time, YourField1, YourField2</fields>
When you perform drilldown you can search for $row.AdjustedEarliestTime$ to pass on the value to external link.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First have you tried this in your target form?
<earliest>$form.intime$-60s</earliest>
I believe the above may work and solve the problem. But if it doesn't work, I would try using this in the target form:
<form>
<label>Example</label>
<init>
<eval token="newTime">relative_time($intime$,-60s)</set>
</init>
Then, in the later in the dashboard, use $newTime$ instead of $form.intime$
Harnessing Splunk’s Federated Search for Amazon S3
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
Enterprise Security Content Update (ESCU) | New Releases
