Dashboards & Visualizations

Time-Extraction from custom formatted time

twistedsixty4
Path Finder

hey all,
i'm trying to drilldown off of a rather complex search where my grpahed time values are in the format of wday: hour (or "%A: %H") but when i click to drill down it istnt passing the time correctly so i need to call the click.value to search by, but im not sure how to get it back into a searchable time-string. any help would be appreciated.

my main search:

(index=cisco* OR index=f5 OR index=app) linecount=1 | search action="blocked" | eval date_hour = strftime(_time, "%H") | eval date_wday = strftime(_time, "%A") | eval day:hour = date_wday + ": " + date_hour | eval sort_field=case(date_wday=="Monday",1, date_wday=="Tuesday",2, date_wday=="Wednesday",3, date_wday=="Thursday",4, date_wday=="Friday",5, date_wday=="Saturday",6, date_wday=="Sunday",7) | bucket _time span=1h | stats count by sort_field,day:hour,_time | eval last_week = if(_time>=relative_time(now(), "-168h@h"), count, null()) | stats avg(count) as 30d_Average, values(last_week) as 7d_Count by sort_field,day:hour| fields - sort_field 

and my drilldown:

(index=cisco* OR index=f5 OR index=app) linecount=1 $click1.value$ | search action="blocked" | timechart span=1m count

the foo token will come out as "Sunday: 22"

0 Karma
1 Solution

twistedsixty4
Path Finder

this problem was much more complicated than i expected, but i finally figured it out.
the first step i had to take was to break my search down. i removed the avg so what i ended up with was a table of counts and times. this let me do a post process drilldown from the graph and get the count values and time at the click.value. but this is where i ran into my next problem.

since i was not using timechart but just charting values i couldnt pass a time range, only the click value. the closest i could get was a unix time string. well i ended up nesting functions and assigning the value to earliest and latest. looks like this:

eval dStart= strftime(relative_time(_time, "-2h@h"), "%m/%d/%Y:%H:%M:%S") | eval dEnd= strftime(relative_time(_time, "+2h@h"), "%m/%d/%Y:%H:%M:%S") | table day:hour, count, last_week dStart, dEnd, by _time | search day:hour="$click1.value$"

hope this helps the next person..

View solution in original post

0 Karma

twistedsixty4
Path Finder

this problem was much more complicated than i expected, but i finally figured it out.
the first step i had to take was to break my search down. i removed the avg so what i ended up with was a table of counts and times. this let me do a post process drilldown from the graph and get the count values and time at the click.value. but this is where i ran into my next problem.

since i was not using timechart but just charting values i couldnt pass a time range, only the click value. the closest i could get was a unix time string. well i ended up nesting functions and assigning the value to earliest and latest. looks like this:

eval dStart= strftime(relative_time(_time, "-2h@h"), "%m/%d/%Y:%H:%M:%S") | eval dEnd= strftime(relative_time(_time, "+2h@h"), "%m/%d/%Y:%H:%M:%S") | table day:hour, count, last_week dStart, dEnd, by _time | search day:hour="$click1.value$"

hope this helps the next person..

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...