Dashboards & Visualizations

Set time picker when clicking timechart

jason_hotchkiss
Communicator

Hello - 

I'm working with a dashboard with a time picker with the token value of $time$.  This time is currently set to the value of another field using:

| eval _time = _mytime

I have a timechart in a dashboard with the following values:

Results in :  

| timechart count limit=24 useother=f usenull=f

2021-10-261
2021-10-27417
2021-10-2836
2021-10-2915
2021-10-3021
2021-10-313
2021-11-0110
2021-11-023
2021-11-031


When I click on a bar in the time chart, for example, the bar for 2021-10-27, I would like my time picker to change to that date, and redraw the dashboard for all the events for that day.

I tried setting

  <drilldown>
    <set token="time_earliest">$earliest$</set>
    <set token="time_latest">$latest$</set>
  </drilldown>



I have also tried

<drilldown> <set token="fomr.time_earliest">$earliest$</set> <set token="form.time_latest">$latest$</set> </drilldown>
Any suggestions?

Labels (3)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

  <drilldown>
    <eval token="form.time.earliest">$click.value$</eval>
    <eval token="form.time.latest">$click.value$+24*60*60</eval>
  </drilldown>
0 Karma

jason_hotchkiss
Communicator


 @ITWhisperer 

The snippet you provided does change the time picker to the date notated on the bar.  However, when the dashboard redraws I am returned with no results.  When I expand the time pickers date range it shows the date from the bar I clicked on.
A.PNG

One thing I noticed is that it is now listing epoch time in the address bar:

form.time.earliest=1635393600.000&form.time.latest=1635480000

When the dashboard first loads it lists a ralative time in the address bar:

form.time.earliest=-7d%40h&form.time.latest=now

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As to why your search is no longer returning results despite the timepicker being adjusted to the correct value is difficult for me to determine since you haven't provided any details on what you are doing in your dashboard.

As to why epoch values are being used, that's because I don't know how you would convert the epoch date you have in your table to the corresponding string, unless you adopt some arbitrary rules about the conversion e.g. always assume that the value is a date and calculate the number of days between now and the date to create the corresponding  -xd@d  strings.  

0 Karma

jason_hotchkiss
Communicator

@ITWhisperer 

Below is my base search for this panel:

index="myindex" sourcetype="mysourcetype" host=myhost1 OR host=myhost2 mytoken1 IN ($mytoken1$) mytoken2 IN ($mytoken2$)
| eval LastScanDateUTC = strptime(LastScanDateUTC, "%Y-%m-%d %H:%M:%S") 
| eval _time = LastScanDateUTC 
| eval LastScanNowUTC=if(isNull(LastScanNowUTC),"-",LastScanNowUTC) 
| eval LastManualScanUTC=if(isNull(LastManualScanUTC),"-",LastManualScanUTC) 
| eval LastScheduleScanUTC=if(isNull(LastScheduleScanUTC),"-",LastScheduleScanUTC) 
| eval LastScanDateUTC=if(isNull(LastScanDateUTC),"-",LastScanDateUTC) 
| eval scans_older_than = round((now()-LastScanDateUTC)/86400)
| eval scan_type = if(LastScheduleScanUTC == "-", "manual_scan", "scheduled_scan")
| search
  scan_type IN ($scan_type$)
  shost IN ($shost$)
| table _time shost scans_older_than scan_age scan_type LastScheduleScanUTC LastScanNowUTC LastManualScanUTC LastScanDateUTC 
|  timechart count limit=24 useother=f usenull=f

 

I would like to change the results of the dashboard when I click a bar in the timechart without changing the timepicker.  In otherwords, display the results for that specific day within the original time period as specified in the time picker.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...