Dashboards & Visualizations

Set Time Picker earliest and latest values based on tokens from parent dashboard

Path Finder

(Edited)

I want to send on drilldown 2 tokens (representing time stamps) and use them as earliest and latest of the time picker in the child drilldown.

on my parent side I did the following:

<eval token="timeFrom">case(isnum("$mitre_attack_time_picker.earliest$"), "$mitre_attack_time_picker.earliest$", "$mitre_attack_time_picker.earliest$"="now", now(), 1=1, relative_time(now(), "$mitre_attack_time_picker.earliest$"))</eval>
<eval token="timeTo">case(isnum("$mitre_attack_time_picker.latest$"), "$mitre_attack_time_picker.latest$", "$mitre_attack_time_picker.latest$"="now", now(), 1=1, relative_time(now(), "$mitre_attack_time_picker.latest$"))</eval>

When drilling down I used:

<![CDATA[/app/my_app/my_child_dash&time_from=$timeFrom$&time_to=$timeTo$]]>

On the child URL I see:

time_from=%24timeFrom%24&time_to=%24timeTo%24

and my panels show: Invalid earliest_time.

It seems the eval not working for some reason although when I copy it to search it works - What can be wrong?

Workaound I found is to use job earliest and latest

0 Karma

SplunkTrust
SplunkTrust

@shayhibah

Have you tried CDATA ?
Eg:

<link>
<![CDATA[
[relative path]/[dashboard or form id]?form.[target_token_name]=[$source_value$]&earliest=$earliest$&latest=$latest$ 
]]>
</link>

Refer below link:

https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/DrilldownLinkToDashboard#Specify_a_drilldown_...

0 Karma

Path Finder

hi @kamlesh_vaghela

I think the issue is with epoch time.
earliest and latest sould be epoch so I need to convert it first to epoch and then add it to the URL.
The problem is there are different options to time picker ("now", X@X, 123456132) so I need to support them all.

0 Karma

Path Finder

I used:

case(isnum("$mitre_attack_time_picker.earliest$"), "$mitre_attack_time_picker.earliest$", "$mitre_attack_time_picker.earliest$"="now", now(), 1=1, relative_time(now(), "$mitre_attack_time_picker.earliest$"))

but for some reason, I can see after drilldown in URL: $timeFrom$ instead the results of the eval

0 Karma

Path Finder

I edited the question

0 Karma

SplunkTrust
SplunkTrust

@shayhibah
Can you please try this ?

<eval token="timeFrom">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')</eval>
<eval token="timeTo">if(isnum('latest'),'latest',relative_time(now(),'latest')</eval>

         OR

<eval token="timeFrom">if(isnum('mitre_attack_time_picker.earliest'),'mitre_attack_time_picker.earliest',relative_time(now(),'mitre_attack_time_picker.earliest')</eval>
<eval token="timeTo">if(isnum('mitre_attack_time_picker.latest'),'mitre_attack_time_picker.latest',relative_time(now(),'mitre_attack_time_picker.latest')</eval>
0 Karma