Dashboards & Visualizations

Set time picker when clicking timechart

Path Finder

Hello - 

I'm working with a dashboard with a time picker with the token value of $time$.  This time is currently set to the value of another field using:

| eval _time = _mytime

I have a timechart in a dashboard with the following values:

Results in :  

| timechart count limit=24 useother=f usenull=f


When I click on a bar in the time chart, for example, the bar for 2021-10-27, I would like my time picker to change to that date, and redraw the dashboard for all the events for that day.

I tried setting

    <set token="time_earliest">$earliest$</set>
    <set token="time_latest">$latest$</set>

I have also tried

<drilldown> <set token="fomr.time_earliest">$earliest$</set> <set token="form.time_latest">$latest$</set> </drilldown>
Any suggestions?

Labels (3)
Tags (1)
0 Karma


Try something like this

    <eval token="form.time.earliest">$click.value$</eval>
    <eval token="form.time.latest">$click.value$+24*60*60</eval>
0 Karma

Path Finder


The snippet you provided does change the time picker to the date notated on the bar.  However, when the dashboard redraws I am returned with no results.  When I expand the time pickers date range it shows the date from the bar I clicked on.

One thing I noticed is that it is now listing epoch time in the address bar:


When the dashboard first loads it lists a ralative time in the address bar:



0 Karma


As to why your search is no longer returning results despite the timepicker being adjusted to the correct value is difficult for me to determine since you haven't provided any details on what you are doing in your dashboard.

As to why epoch values are being used, that's because I don't know how you would convert the epoch date you have in your table to the corresponding string, unless you adopt some arbitrary rules about the conversion e.g. always assume that the value is a date and calculate the number of days between now and the date to create the corresponding  -xd@d  strings.  

0 Karma

Path Finder


Below is my base search for this panel:

index="myindex" sourcetype="mysourcetype" host=myhost1 OR host=myhost2 mytoken1 IN ($mytoken1$) mytoken2 IN ($mytoken2$)
| eval LastScanDateUTC = strptime(LastScanDateUTC, "%Y-%m-%d %H:%M:%S") 
| eval _time = LastScanDateUTC 
| eval LastScanNowUTC=if(isNull(LastScanNowUTC),"-",LastScanNowUTC) 
| eval LastManualScanUTC=if(isNull(LastManualScanUTC),"-",LastManualScanUTC) 
| eval LastScheduleScanUTC=if(isNull(LastScheduleScanUTC),"-",LastScheduleScanUTC) 
| eval LastScanDateUTC=if(isNull(LastScanDateUTC),"-",LastScanDateUTC) 
| eval scans_older_than = round((now()-LastScanDateUTC)/86400)
| eval scan_type = if(LastScheduleScanUTC == "-", "manual_scan", "scheduled_scan")
| search
  scan_type IN ($scan_type$)
  shost IN ($shost$)
| table _time shost scans_older_than scan_age scan_type LastScheduleScanUTC LastScanNowUTC LastManualScanUTC LastScanDateUTC 
|  timechart count limit=24 useother=f usenull=f


I would like to change the results of the dashboard when I click a bar in the timechart without changing the timepicker.  In otherwords, display the results for that specific day within the original time period as specified in the time picker.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!