Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the drilldown giving "INVALID EARLIEST_TIME" on the bar graph?

joydeep741
Path Finder
‎06-26-2018 12:39 AM

When ever I click on a BAR of a bar graph , it drills down to search page with an error "invalid earliest_time"
How do i correct this invalid earliest_time error ?

THE TIME PICKER ON MY DASHBOARD

<input type="time" token="field3">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
</input>

THE BAR GRAPH PANEL ON MY DASHBOARD

<chart>
        <search>
          <query>index=abc sourcetype=xyz  |dedup number| bucket _time span=$field2$| stats count by _time|tail 7|eval Target=$IncidentTitle$|fieldformat _time=strftime(_time, "$BarChartFormat$")|reverse</query>

          <earliest>$field3.earliest$</earliest>
          <latest>$field3.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
      </chart>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rvany
Communicator
‎06-26-2018 04:29 AM

The problem is you are changing the value of _time using a format of %m%y(right?). That way Splunk is not able to transfer the right value.

If you need this format for visualization, you can create a different field and format that.

index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse

Maybe you give this a try.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rvany
Communicator
‎06-26-2018 04:29 AM

The problem is you are changing the value of _time using a format of %m%y(right?). That way Splunk is not able to transfer the right value.

If you need this format for visualization, you can create a different field and format that.

index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse

Maybe you give this a try.

0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎06-26-2018 04:42 AM

Super Thanks ..!!

It worked. 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-26-2018 02:48 AM

@joydeep741, you are missing some really important details that would be required for us to assist you.
Can you give a sample value for
1) span=$field2$
2) fieldformat _time=strftime(_time, "$BarChartFormat$")

And what is your current <drilldown> code for the chart?
Have you printed the tokens using <html><panel> or <panel><title> section to see if they have expected values on drilldown?

There seems to be some issue with $latest$ and $row._span$ tokens (I am unable to find the question which had this answer. @rjthibod @frobinson Can you help?

Meanwhile the workaround will be to use $earilest$ and $earliest$+ $tokSpan$, where $tokSpan$ is in seconds coming from your Span dropdown.

<input type="dropdown" token="tokSpan" searchWhenChanged="true">
  <label>Select Span</label>
  <choice value="3600">Hourly</choice>
  <choice value="86400">Daily</choice>
  <default>3600</default>
</input>

Following is a run anywhere example which sets the earliest and latest token on chart drilldown and uses the same in another search

<form>
  <label>Timechart drilldown with String Time to Epoch</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tokSpan" searchWhenChanged="true">
      <label>Select Span</label>
      <choice value="3600">Hourly</choice>
      <choice value="86400">Daily</choice>
      <default>3600</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$tok_earliest$ - $tok_latest$ - $tok_span$</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd
| bin _time span=$tokSpan$
| stats count by _time
| reverse</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
        <drilldown>
          <set token="tok_earliest">$earliest$</set>
          <eval token="tok_latest">$earliest$+$tokSpan$</eval>
          <set token="tok_span">$tokSpan$</set>
        </drilldown>
      </chart>
    </panel>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd
| timechart count</query>
          <earliest>$tok_earliest$</earliest>
          <latest>$tok_latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎06-26-2018 03:30 AM

Hi niketnilay,

1) span=$field2$

Values are like "1m", "1d", "1w" for month , day , week respectively.
2) fieldformat _time=strftime(_time, "$BarChartFormat$")
_time comes like
06-18
05-18
etc

My URL earliest and lastest values are like

earliest=06-18 latest=1530008118

This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"

0 Karma
Reply
Solved! Jump to solution

rvany
Communicator
‎06-26-2018 02:15 AM

I tried your example. Had to make some assumptions due to different data. So I set span=1h and left out the Target-field (including the overlay).

Problem was then, that I got no data at all due to the _time-fieldformat, which I set to some date/time-string. During drill down I got no data, but - I also got no "invalid earliest_time" error.

You may have a look in the address field of your browser after doing the drilldown. My address contained:

earliest=1529996400.000&
latest=1529996400.001&

which of course are valid times. What's in your address?

0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎06-26-2018 03:27 AM

Hi rvany,

My URL earliest and lastest values are like

earliest=06-18& latest=1530008118

This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...