Why is chart drilldown earliest and latest time no...

wangkevin1029 · ‎01-19-2023

Hi, Splunkers,

I have the following table drilldown earliest and latest time works properly.

but when I copied it to a chart drilldown, it stopped working.

I noticed table drilldown has the following drilldown option value= row.

and the link for passing earliest and latest time uses row.StartDTM_epoch, and row.EndDTM_epoch

form.field2.earliest=$row.StartDTM_epoch$&form.field2.latest=$row.EndDTM_epoch$

I noticed my chart drilldown has the following drilldown option value= all.

so, I changed it to form.field2.earliest=$all.StartDTM_epoch$&form.field2.latest=$all.EndDTM_epoch$

not sure if the all.StartDTM_epoch and all.EndDTM_epoch casusing the failure.

the following is the related working code for table drilldown to pass earliest and latest time.

| eval StartDTM_epoch = relative_time(_time,"-20m")
| eval EndDTM_epoch = relative_time(_time,"+20m")

| eval TIME = strftime(_time, "%Y-%m-%d %H:%M:%S")

| table _time,sid,Type,AgentName,DN,FAddress,Segment,Function,Client,Product,SubFunction,SubFDetail,MKTGCT,CCType,VQ,TLCnt,AFRoute,StateCD,TargetSelected,AFStatus,,CBOffered,CBRejected,AQT,EWT,EWTmin,PIQ,WT,LSInRange,LSPriority,LSRateS,PB,PCSS,PENT,PF,RONA,LANG,StartDTM_epoch,EndDTM_epoch</query>
<earliest>$field2.earliest$</earliest>
<latest>$field2.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<fields>["_time","sid","Type","AgentName","DN","FAddress","Segment","Function","Client","Product","SubFunction","SubFDetail","MKTGCT","CCType","VQ","TLCnt","AFRoute","StateCD","TargetSelected","AFStatus","CBOffered","CBRejected","AQT","EWT","EWTmin","PIQ","WT","LSInRange","LSPriority","LSRateS","PB","PCSS","PENT","PF","RONA","LANG"]</fields>
<drilldown>
<condition match="$t_DrillDown$ = "*"">
<link target="_blank">
<![CDATA[
/app/optum_gvp/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token_with2handlers=$click.value2$&form.field2.earliest=$row.StartDTM_epoch$&form.field2.latest=$row.EndDTM_epoch$
]]>
</link>

thx in advance.

Kevin

bowesmana · ‎01-19-2023

Table uses drilldown row or cell and chart uses all, but you don't use "all" for referencing row values, it is still $row.xxx$

Look at the chart section here

https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#Predefined_dr...

It depends where you click in a chart as to the tokens/values you get.

What fields do you have in your data and what is the search for the chart?

wangkevin1029 · ‎01-20-2023

bowesmana,

I copied these earliest and latest time code from my table query, which works fine for table.

the only difference is drilldown option, for table, value = row, for chart , value=all.

Kevin

wangkevin1029 · ‎01-20-2023

Hi, bowesmana,

thx for your quick response.

it's the same chart as the last case about chart input. you helped me fix that issue.

still passed $click.name2$ as input.

for earliest, and latest time, I tried all.StartDTM_epoch, row.StartDTM_epoch, and StartDTM_epoch without prefix.

form.field2.earliest=$row.StartDTM_epoch$&form.field2.latest=$row.EndDTM_epoch$

Kevin

bowesmana · ‎01-22-2023

What sort of chart and what is your XML definition for that chart?

Just copying table to chart does not mean it will work, for example <fields> is not a valid entry for chart and pie charts, for example, do not support use of $row.XXX$ for drilldown, so please provide the chart detail.

Why is chart drilldown earliest and latest time not working?

timechart

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!