Dashboards & Visualizations

Trying to pass time range to the splunk search in drilldown table to open in a new window

nithin204
Explorer

Hi All, 

 

I am trying to pass time variables to the search when I click on a value in drilldown dashbaord. Below is the the source of the dashboard 

 

<form version="1.1">
<label>test12</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>test12</title>
<table>
<search>
<query>index=_internal status=* sourcetype=splunkd
|lookup test12 name AS status OUTPUT value | stats count by value</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<set token="drilldown_srch">index=_internal status=* sourcetype=splunkd |lookup test12.csv name as status output value | where value=$row.value$</set>
<link>search?q=$drilldown_srch|u$</link>
</drilldown>
</table>
</panel>
</row>
</form>

I tried adding the time variables in the link as below but no luck

<link>search?q=$drilldown_srch?earliest=$field1.earliest&latest=$field1.latest$|u$</link>

Thanks

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204,

the way to pass a parameter to a drilldown is the one I described, please try this:

<link>search?q=$drilldown_srch|u$$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

anyway, usually a drilldown search takes the same time variables of the original.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204,

what's the error you have?

anyway the string you're using is correct (I suppose that the second $ was a mistyping), but in the dashboard editor you have to use a different notation for &, you must use &amp;:

<link>search?q=$drilldown_srch?earliest=$field1.earliest$&amp;latest=$field1.latest$|u$</link>

Ciao.

Giuseppe

0 Karma

nithin204
Explorer

Hi @gcusello , 

I have to use the second $ as well after drilldown_srch as that is token. 

<link>search?q=$drilldown_srch$?earliest=$field1.earliest$&amp;latest=$field1.latest$|u$</link>

If I skip the second "$" after the drillwon_srch, and if I click the value the new search opens as $drilldown_srch in the search bar in new window. 

 

If I use the $drilldown_srch$ , the search is working correct but it is not taking the time variables. It always have a default of 15mins. 

Thanks 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204,

the way to pass a parameter to a drilldown is the one I described, please try this:

<link>search?q=$drilldown_srch|u$$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

anyway, usually a drilldown search takes the same time variables of the original.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...