Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Time-Extraction from custom formatted time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey all,
i'm trying to drilldown off of a rather complex search where my grpahed time values are in the format of wday: hour (or "%A: %H") but when i click to drill down it istnt passing the time correctly so i need to call the click.value to search by, but im not sure how to get it back into a searchable time-string. any help would be appreciated.
my main search:
(index=cisco* OR index=f5 OR index=app) linecount=1 | search action="blocked" | eval date_hour = strftime(_time, "%H") | eval date_wday = strftime(_time, "%A") | eval day:hour = date_wday + ": " + date_hour | eval sort_field=case(date_wday=="Monday",1, date_wday=="Tuesday",2, date_wday=="Wednesday",3, date_wday=="Thursday",4, date_wday=="Friday",5, date_wday=="Saturday",6, date_wday=="Sunday",7) | bucket _time span=1h | stats count by sort_field,day:hour,_time | eval last_week = if(_time>=relative_time(now(), "-168h@h"), count, null()) | stats avg(count) as 30d_Average, values(last_week) as 7d_Count by sort_field,day:hour| fields - sort_field
and my drilldown:
(index=cisco* OR index=f5 OR index=app) linecount=1 $click1.value$ | search action="blocked" | timechart span=1m count
the foo token will come out as "Sunday: 22"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this problem was much more complicated than i expected, but i finally figured it out.
the first step i had to take was to break my search down. i removed the avg so what i ended up with was a table of counts and times. this let me do a post process drilldown from the graph and get the count values and time at the click.value. but this is where i ran into my next problem.
since i was not using timechart but just charting values i couldnt pass a time range, only the click value. the closest i could get was a unix time string. well i ended up nesting functions and assigning the value to earliest and latest. looks like this:
eval dStart= strftime(relative_time(_time, "-2h@h"), "%m/%d/%Y:%H:%M:%S") | eval dEnd= strftime(relative_time(_time, "+2h@h"), "%m/%d/%Y:%H:%M:%S") | table day:hour, count, last_week dStart, dEnd, by _time | search day:hour="$click1.value$"
hope this helps the next person..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this problem was much more complicated than i expected, but i finally figured it out.
the first step i had to take was to break my search down. i removed the avg so what i ended up with was a table of counts and times. this let me do a post process drilldown from the graph and get the count values and time at the click.value. but this is where i ran into my next problem.
since i was not using timechart but just charting values i couldnt pass a time range, only the click value. the closest i could get was a unix time string. well i ended up nesting functions and assigning the value to earliest and latest. looks like this:
eval dStart= strftime(relative_time(_time, "-2h@h"), "%m/%d/%Y:%H:%M:%S") | eval dEnd= strftime(relative_time(_time, "+2h@h"), "%m/%d/%Y:%H:%M:%S") | table day:hour, count, last_week dStart, dEnd, by _time | search day:hour="$click1.value$"
hope this helps the next person..
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
