Hello -
I'm working with a dashboard with a time picker with the token value of $time$. This time is currently set to the value of another field using:
| eval _time = _mytime
I have a timechart in a dashboard with the following values:
Results in :
| timechart count limit=24 useother=f usenull=f
2021-10-26 | 1 |
2021-10-27 | 417 |
2021-10-28 | 36 |
2021-10-29 | 15 |
2021-10-30 | 21 |
2021-10-31 | 3 |
2021-11-01 | 10 |
2021-11-02 | 3 |
2021-11-03 | 1 |
When I click on a bar in the time chart, for example, the bar for 2021-10-27, I would like my time picker to change to that date, and redraw the dashboard for all the events for that day.
I tried setting
<drilldown> <set token="time_earliest">$earliest$</set> <set token="time_latest">$latest$</set> </drilldown>
I have also tried
<drilldown> <set token="fomr.time_earliest">$earliest$</set> <set token="form.time_latest">$latest$</set> </drilldown>
Any suggestions?
Try something like this
<drilldown>
<eval token="form.time.earliest">$click.value$</eval>
<eval token="form.time.latest">$click.value$+24*60*60</eval>
</drilldown>
@ITWhisperer
The snippet you provided does change the time picker to the date notated on the bar. However, when the dashboard redraws I am returned with no results. When I expand the time pickers date range it shows the date from the bar I clicked on.
One thing I noticed is that it is now listing epoch time in the address bar:
form.time.earliest=1635393600.000&form.time.latest=1635480000
When the dashboard first loads it lists a ralative time in the address bar:
form.time.earliest=-7d%40h&form.time.latest=now
As to why your search is no longer returning results despite the timepicker being adjusted to the correct value is difficult for me to determine since you haven't provided any details on what you are doing in your dashboard.
As to why epoch values are being used, that's because I don't know how you would convert the epoch date you have in your table to the corresponding string, unless you adopt some arbitrary rules about the conversion e.g. always assume that the value is a date and calculate the number of days between now and the date to create the corresponding -xd@d strings.
@ITWhisperer
Below is my base search for this panel:
index="myindex" sourcetype="mysourcetype" host=myhost1 OR host=myhost2 mytoken1 IN ($mytoken1$) mytoken2 IN ($mytoken2$)
| eval LastScanDateUTC = strptime(LastScanDateUTC, "%Y-%m-%d %H:%M:%S")
| eval _time = LastScanDateUTC
| eval LastScanNowUTC=if(isNull(LastScanNowUTC),"-",LastScanNowUTC)
| eval LastManualScanUTC=if(isNull(LastManualScanUTC),"-",LastManualScanUTC)
| eval LastScheduleScanUTC=if(isNull(LastScheduleScanUTC),"-",LastScheduleScanUTC)
| eval LastScanDateUTC=if(isNull(LastScanDateUTC),"-",LastScanDateUTC)
| eval scans_older_than = round((now()-LastScanDateUTC)/86400)
| eval scan_type = if(LastScheduleScanUTC == "-", "manual_scan", "scheduled_scan")
| search
scan_type IN ($scan_type$)
shost IN ($shost$)
| table _time shost scans_older_than scan_age scan_type LastScheduleScanUTC LastScanNowUTC LastManualScanUTC LastScanDateUTC
| timechart count limit=24 useother=f usenull=f
I would like to change the results of the dashboard when I click a bar in the timechart without changing the timepicker. In otherwords, display the results for that specific day within the original time period as specified in the time picker.