Dashboards & Visualizations

Set Time Picker earliest and latest values based on tokens from parent dashboard

shayhibah
Path Finder

(Edited)

I want to send on drilldown 2 tokens (representing time stamps) and use them as earliest and latest of the time picker in the child drilldown.

on my parent side I did the following:

<eval token="timeFrom">case(isnum("$mitre_attack_time_picker.earliest$"), "$mitre_attack_time_picker.earliest$", "$mitre_attack_time_picker.earliest$"="now", now(), 1=1, relative_time(now(), "$mitre_attack_time_picker.earliest$"))</eval>
<eval token="timeTo">case(isnum("$mitre_attack_time_picker.latest$"), "$mitre_attack_time_picker.latest$", "$mitre_attack_time_picker.latest$"="now", now(), 1=1, relative_time(now(), "$mitre_attack_time_picker.latest$"))</eval>

When drilling down I used:

<![CDATA[/app/my_app/my_child_dash&time_from=$timeFrom$&time_to=$timeTo$]]>

On the child URL I see:

time_from=%24timeFrom%24&time_to=%24timeTo%24

and my panels show: Invalid earliest_time.

It seems the eval not working for some reason although when I copy it to search it works - What can be wrong?

Workaound I found is to use job earliest and latest

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@shayhibah

Have you tried CDATA ?
Eg:

<link>
<![CDATA[
[relative path]/[dashboard or form id]?form.[target_token_name]=[$source_value$]&earliest=$earliest$&latest=$latest$ 
]]>
</link>

Refer below link:

https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/DrilldownLinkToDashboard#Specify_a_drilldown_...

0 Karma

shayhibah
Path Finder

hi @kamlesh_vaghela

I think the issue is with epoch time.
earliest and latest sould be epoch so I need to convert it first to epoch and then add it to the URL.
The problem is there are different options to time picker ("now", X@X, 123456132) so I need to support them all.

0 Karma

shayhibah
Path Finder

I used:

case(isnum("$mitre_attack_time_picker.earliest$"), "$mitre_attack_time_picker.earliest$", "$mitre_attack_time_picker.earliest$"="now", now(), 1=1, relative_time(now(), "$mitre_attack_time_picker.earliest$"))

but for some reason, I can see after drilldown in URL: $timeFrom$ instead the results of the eval

0 Karma

shayhibah
Path Finder

I edited the question

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@shayhibah
Can you please try this ?

<eval token="timeFrom">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')</eval>
<eval token="timeTo">if(isnum('latest'),'latest',relative_time(now(),'latest')</eval>

         OR

<eval token="timeFrom">if(isnum('mitre_attack_time_picker.earliest'),'mitre_attack_time_picker.earliest',relative_time(now(),'mitre_attack_time_picker.earliest')</eval>
<eval token="timeTo">if(isnum('mitre_attack_time_picker.latest'),'mitre_attack_time_picker.latest',relative_time(now(),'mitre_attack_time_picker.latest')</eval>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...