Dashboards & Visualizations

Trying to pass time range to the splunk search in drilldown table to open in a new window

nithin204
Explorer

Hi All, 

 

I am trying to pass time variables to the search when I click on a value in drilldown dashbaord. Below is the the source of the dashboard 

 

<form version="1.1">
<label>test12</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>test12</title>
<table>
<search>
<query>index=_internal status=* sourcetype=splunkd
|lookup test12 name AS status OUTPUT value | stats count by value</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<set token="drilldown_srch">index=_internal status=* sourcetype=splunkd |lookup test12.csv name as status output value | where value=$row.value$</set>
<link>search?q=$drilldown_srch|u$</link>
</drilldown>
</table>
</panel>
</row>
</form>

I tried adding the time variables in the link as below but no luck

<link>search?q=$drilldown_srch?earliest=$field1.earliest&latest=$field1.latest$|u$</link>

Thanks

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204,

the way to pass a parameter to a drilldown is the one I described, please try this:

<link>search?q=$drilldown_srch|u$$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

anyway, usually a drilldown search takes the same time variables of the original.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204,

what's the error you have?

anyway the string you're using is correct (I suppose that the second $ was a mistyping), but in the dashboard editor you have to use a different notation for &, you must use &amp;:

<link>search?q=$drilldown_srch?earliest=$field1.earliest$&amp;latest=$field1.latest$|u$</link>

Ciao.

Giuseppe

0 Karma

nithin204
Explorer

Hi @gcusello , 

I have to use the second $ as well after drilldown_srch as that is token. 

<link>search?q=$drilldown_srch$?earliest=$field1.earliest$&amp;latest=$field1.latest$|u$</link>

If I skip the second "$" after the drillwon_srch, and if I click the value the new search opens as $drilldown_srch in the search bar in new window. 

 

If I use the $drilldown_srch$ , the search is working correct but it is not taking the time variables. It always have a default of 15mins. 

Thanks 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204,

the way to pass a parameter to a drilldown is the one I described, please try this:

<link>search?q=$drilldown_srch|u$$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

anyway, usually a drilldown search takes the same time variables of the original.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @nithin204 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...