Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I drill down a table with the _time column renamed or converted to a different format?

LuiesCui
Communicator
‎07-29-2015 09:42 PM

Hi guys

I have a problem here and I need ur help!
I have a table in a dashboard with column _time. I would like to rename _time as time so I tried 2 methods to do that.
Method A:

index="from_host_demo" source="Perfmon:Network Interface" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time | table time collection counter Value

and Method B:

index="from_host_demo" source="Perfmon:Network Interface" | rename _time as time | table time collection counter Value| fieldformat time=strftime(time, "%Y/%m/%d %T")

Both methods work well and I got what I wanted, but I soon found I got no event if I drill down from tables and I see the format of _time causes this problem.
For example, if I drill down the second table, the search line would be 

index="from_host_demo" source="Perfmon:Network Interface"  Value="283.51863284535062" | eval time=_time | search time="2015/07/30 11:26:34"

and got no events. But if I change the search line into

index="from_host_demo" source="Perfmon:Network Interface"  Value="283.51863284535062" | eval time=_time | search time="1438226794"

then the event I want comes out.
So I tried to change the drilldown link as below:

<drilldown target="_blank">
            <link>
                <![CDATA[search?q=index="from_host_demo" collection="$row.collection$" counter="$row.counter$" Value="$row.Value$" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time |where time="$row.time$"]]>
            </link>
        </drilldown>

If I drill down the table, it comes out "loading" and will not even show any result! However, when I typed the search line in the search page without tokens, but with data, it worked!

So what I want is to rename the _time column, but still have the drilldown function work. What should I do to solve this problem? And by the way, what is the difference between method A and method B? Thx a lot!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LuiesCui
Communicator
‎07-30-2015 08:57 PM

Got a solution...it works but is not perfect.

<table>
    <title>rename time</title>
    <search>
      <query>index="perform" source="Perfmon:Network118" 
        | convert timeformat="%Y/%m/%d %T" ctime(_time) as time2 
        | eval collection2 = collection | eval counter2 = counter | eval Value2 = Value
        | rename _time as time 
        | table time time2 collection collection2 counter counter2 Value Value2 
        | rename time2 as 时とき, collection2 as 集まる, counter2 as 分類, Value2 as 数値</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown target="_blank">
      <link>
        <![CDATA[search?q= search index="perform" 
        collection="$row.collection$" 
        counter="$row.counter$" 
        Value="$row.Value$" 
        _time="$row.time$"]]>
      </link>
    </drilldown>
    <fields>["时とき","集まる","分類","数値"]</fields>
</table>

For example, if you have 4 columns to show and all of them need to be renamed, you should have 8 column in your table - 4 of them to display(be renamed) and 4 for the value for drilldown. Then use row.field to take the values of the columns aren't renamed and use fields to show the columns renamed.

View solution in original post

Reply
Solved! Jump to solution
Solution

LuiesCui
Communicator
‎07-30-2015 08:57 PM

Got a solution...it works but is not perfect.

<table>
    <title>rename time</title>
    <search>
      <query>index="perform" source="Perfmon:Network118" 
        | convert timeformat="%Y/%m/%d %T" ctime(_time) as time2 
        | eval collection2 = collection | eval counter2 = counter | eval Value2 = Value
        | rename _time as time 
        | table time time2 collection collection2 counter counter2 Value Value2 
        | rename time2 as 时とき, collection2 as 集まる, counter2 as 分類, Value2 as 数値</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <drilldown target="_blank">
      <link>
        <![CDATA[search?q= search index="perform" 
        collection="$row.collection$" 
        counter="$row.counter$" 
        Value="$row.Value$" 
        _time="$row.time$"]]>
      </link>
    </drilldown>
    <fields>["时とき","集まる","分類","数値"]</fields>
</table>

For example, if you have 4 columns to show and all of them need to be renamed, you should have 8 column in your table - 4 of them to display(be renamed) and 4 for the value for drilldown. Then use row.field to take the values of the columns aren't renamed and use fields to show the columns renamed.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-30-2015 06:40 PM

IMHO, this is a bug and should be reported as such. Especially because this also doesn't work (and DEFINITELY should):

index="from_host_demo" source="Perfmon:Network Interface" | fieldformat _time = strftime(_time, "%Y/%m/%d %T") | table _time collection counter Value
0 Karma
Reply
Solved! Jump to solution

LuiesCui
Communicator
‎07-30-2015 06:52 PM

yep another error 😞

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-30-2015 06:33 PM

Hi LuiesCui,

you're aware that Splunk already has build in japanese locals?
Don't re-invent the wheel, just use this URI and you good:

http[s]://YourSplunkServer:YourSplunkPort/ja-JP/

This cannot be set by default but Splunk should switch to the correct locale if used in a japanese browser - maybe...

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

MuS
Legend
‎07-30-2015 06:39 PM

And here is a nice Chrome plug-in which will take care of switching to the correct locale if Splunk does not https://chrome.google.com/webstore/detail/quick-language-switcher/pmjbhfmaphnpbehdanbjphdcniaelfie

cheers, MuS

Reply
Solved! Jump to solution

LuiesCui
Communicator
‎07-30-2015 06:54 PM

Tried and didn't work. Can I rename those column header outside of the search line? I mean, I want to edit the column name in the xml as a property of the table. Any way to do that?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-30-2015 07:50 PM

What did not work, using the ja-JP locale or using the fieldformat ?
Try the ja-JP locale without the fieldformat

I'm not aware of a column header rename function outside the search, but then again I'm no Web developer and I haven't used the Splunk Web Framework a lot.

Reply
Solved! Jump to solution

LuiesCui
Communicator
‎07-30-2015 06:10 PM

Could anyone help?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-30-2015 06:17 PM

Why do you need to rename _time ?

0 Karma
Reply
Solved! Jump to solution

LuiesCui
Communicator
‎07-30-2015 06:22 PM

My client wants the panel shows in japanese

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...