Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Single Value Drilldown into Table with Timespan

markschoonover
Explorer
‎12-28-2016 07:19 PM

I've been able to drilldown into a table from a single value. My final challenge is to include the current time span into the link. I've tried adding earliest/latest xml elements in the single value drilldown link element but that didn't work. I've tried to embed $form1.earliest$ & $form1.latest$ in the link, used cdata instead of URL decoding the search string without success. I've used the dashboards example app too. Any ideas on what I'm missing?

Added the XML for this single value:

    <single>
            <search>
              <query>index=_internal</query>
              <earliest>$field1.earliest$</earliest>
              <latest>$field1.latest$</latest>
            </search>
            <option name="colorBy">value</option>
            <option name="colorMode">block</option>
            <option name="drilldown">none</option>
            <option name="numberPrecision">0</option>
            <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
            <option name="rangeValues">[5]</option>
            <option name="showSparkline">1</option>
            <option name="showTrendIndicator">1</option>
            <option name="trendColorInterpretation">standard</option>
            <option name="trendDisplayMode">absolute</option>
            <option name="underLabel">Generator Queue</option>
            <option name="unitPosition">after</option>
            <option name="useColors">1</option>
            <option name="useThousandSeparators">1</option>
            <drilldown>
              <link>?q=/app/search/search/index=_internal earliest=?? latest=??</link>
            </drilldown>
            <option name="linkView">search</option>
</single>

How can I add the time span in ?q=/app/search/search/index=_internal earliest=?? latest=???

Mark

0 Karma
Reply

niketn
Legend
‎12-29-2016 10:44 AM

Following is the example I described earlier.

 <single>
         <search>
           <query>index=_internal</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
         <option name="drilldown">all</option>
         <drilldown>
             <set token="myEarliestTime">$earliest$</set>
             <set token="myLatestTime">$latest$</set>
         </drilldown>

Since you plan to use earliest and latest token in a link, you will not require above example.

However, I would suggest using CDATA section so that you dont have to Escape encoded URL. You can test the same by creating a New Dashboard and call using following path for your Splunk App Name. Earliest Time and Latest Time can be passed as query strings(see example below). I will recommend you to check out various Drill Down examples provided in Splunk 6.x Dashboard Examples app.

      <drilldown>
          <link>
                  <![CDATA[
                    /app/<YourSplunkApp>/<YourNewDashboardorRedirection>?earliest=$earliest$&latest=$latest$
                  ]]>
          </link>
      </drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎12-28-2016 10:45 PM

You can add a Time control to the form and use its earliest and latest properties across the visualizations in your form.

For example if the added Time control is globalTime you will have $globalTIme.earliest$ and $globalTIme.latest$ available in the form.

Additionally, earliest and latest timestamp are available as Single value Tokens which can be coded under <drilldown><condition> block

Please refer to the link for Single value tokens: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_.28even...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

markschoonover
Explorer
‎12-29-2016 08:39 AM

Thanks niketnilay. I'm trying to pass the time span from a single value visualization the drilldown link so when the users click on the value, the URL associated it, that starts another search.

0 Karma
Reply

sundareshr
Legend
‎12-28-2016 09:04 PM

Have you tried using search events to capture earliest/latest? From your question, it appears you want to pass earliest/latest for the search used in the single-value panel, right? Try this (can be used for any search block)

<panel>
    <single>
        <search>
            <query>...</query>
            <done>
                <set token="e">job.earliest</set>
            </done>
        </search>
        ...
    </single>
</panel>

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/tokens#Search_event_elements_and_job_propertie...

0 Karma
Reply

markschoonover
Explorer
‎12-29-2016 08:42 AM

Thanks sundareshr! I've updated with the XML - hopefully that'll help. I would like the drilldown URL to execute a separate search displaying a table. How can I get the token into the link element.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...