Why is chart drilldown earliest and latest time no...

wangkevin1029 · ‎01-19-2023

Hi, Splunkers,

I have the following table drilldown earliest and latest time works properly.

but when I copied it to a chart drilldown, it stopped working.

I noticed table drilldown has the following drilldown option value= row.

and the link for passing earliest and latest time uses row.StartDTM_epoch, and row.EndDTM_epoch

form.field2.earliest=$row.StartDTM_epoch$&form.field2.latest=$row.EndDTM_epoch$

I noticed my chart drilldown has the following drilldown option value= all.

so, I changed it to form.field2.earliest=$all.StartDTM_epoch$&form.field2.latest=$all.EndDTM_epoch$

not sure if the all.StartDTM_epoch and all.EndDTM_epoch casusing the failure.

the following is the related working code for table drilldown to pass earliest and latest time.

| eval StartDTM_epoch = relative_time(_time,"-20m")
| eval EndDTM_epoch = relative_time(_time,"+20m")

| eval TIME = strftime(_time, "%Y-%m-%d %H:%M:%S")

| table _time,sid,Type,AgentName,DN,FAddress,Segment,Function,Client,Product,SubFunction,SubFDetail,MKTGCT,CCType,VQ,TLCnt,AFRoute,StateCD,TargetSelected,AFStatus,,CBOffered,CBRejected,AQT,EWT,EWTmin,PIQ,WT,LSInRange,LSPriority,LSRateS,PB,PCSS,PENT,PF,RONA,LANG,StartDTM_epoch,EndDTM_epoch</query>
<earliest>$field2.earliest$</earliest>
<latest>$field2.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<fields>["_time","sid","Type","AgentName","DN","FAddress","Segment","Function","Client","Product","SubFunction","SubFDetail","MKTGCT","CCType","VQ","TLCnt","AFRoute","StateCD","TargetSelected","AFStatus","CBOffered","CBRejected","AQT","EWT","EWTmin","PIQ","WT","LSInRange","LSPriority","LSRateS","PB","PCSS","PENT","PF","RONA","LANG"]</fields>
<drilldown>
<condition match="$t_DrillDown$ = "*"">
<link target="_blank">
<![CDATA[
/app/optum_gvp/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token_with2handlers=$click.value2$&form.field2.earliest=$row.StartDTM_epoch$&form.field2.latest=$row.EndDTM_epoch$
]]>
</link>

thx in advance.

Kevin

bowesmana · ‎01-19-2023

Table uses drilldown row or cell and chart uses all, but you don't use "all" for referencing row values, it is still $row.xxx$

Look at the chart section here

https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#Predefined_dr...

It depends where you click in a chart as to the tokens/values you get.

What fields do you have in your data and what is the search for the chart?

wangkevin1029 · ‎01-20-2023

bowesmana,

I copied these earliest and latest time code from my table query, which works fine for table.

the only difference is drilldown option, for table, value = row, for chart , value=all.

Kevin

wangkevin1029 · ‎01-20-2023

Hi, bowesmana,

thx for your quick response.

it's the same chart as the last case about chart input. you helped me fix that issue.

still passed $click.name2$ as input.

for earliest, and latest time, I tried all.StartDTM_epoch, row.StartDTM_epoch, and StartDTM_epoch without prefix.

form.field2.earliest=$row.StartDTM_epoch$&form.field2.latest=$row.EndDTM_epoch$

Kevin

bowesmana · ‎01-22-2023

What sort of chart and what is your XML definition for that chart?

Just copying table to chart does not mean it will work, for example <fields> is not a valid entry for chart and pie charts, for example, do not support use of $row.XXX$ for drilldown, so please provide the chart detail.

Why is chart drilldown earliest and latest time not working?

timechart

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms