How to pass dates from table drilldown into earliest in new dashboard?


In dashboard A, I have a table, and the drilldown passes 2 variables like this :`

<drilldown target="blank">

In the receiving dashboard (camelogviewer_drilldown) the query for the resulting table looks like this :

<query>index=camlog host=$form.inhost$ log_level=* | table log_timestamp host log_level log_thread log_msg | sort log_timestamp</query>

This works fine with both tokens getting passed over correctly. HOWEVER, I need to subtract 60 seconds from the earliest time on the 2nd dashboard table. I think that I want to run an eval which says something like $form.intime$-60s. I don't see a way of running an eval unless I put the earliest inside the body of the query - when I do that it fails, and I cannot find any way to make it work.

Thanks for any advice!

@ipicbc please try adding the following in your drilldown to populate adjusted
Option 1 - Use eval option to calculate clicked time -30 seconds.

<drilldown target="blank">
   <eval token="adjustedEarliestTime">relative_time($click.value$,"30s")</eval>

Refer to Splunk Documentation for tokens available in Dynamic Drilldown, which mentions that time if present will be $click.value$ : http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Predefinedtokensfordynamic_drilldown

Option 2
Calculate AdjustedEarliestTime in your Splunk search

| eval AdjustedEarliestTime=relativetime(time,"-30s")

Using fields option for table display only the required fields and make AdjustedEarliestTime as hidden.

<fields>_time, YourField1, YourField2</fields>

When you perform drilldown you can search for $row.AdjustedEarliestTime$ to pass on the value to external link.

First have you tried this in your target form?


I believe the above may work and solve the problem. But if it doesn't work, I would try using this in the target form:

    <eval token="newTime">relative_time($intime$,-60s)</set>

Then, in the later in the dashboard, use $newTime$ instead of $form.intime$

