Dashboards & Visualizations

Why is the drilldown giving "INVALID EARLIEST_TIME" on the bar graph?

Path Finder

When ever I click on a BAR of a bar graph , it drills down to search page with an error "invalid earliest_time"
How do i correct this invalid earliest_time error ?

THE TIME PICKER ON MY DASHBOARD

<input type="time" token="field3">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
</input>

THE BAR GRAPH PANEL ON MY DASHBOARD

<chart>
        <search>
          <query>index=abc sourcetype=xyz  |dedup number| bucket _time span=$field2$| stats count by _time|tail 7|eval Target=$IncidentTitle$|fieldformat _time=strftime(_time, "$BarChartFormat$")|reverse</query>

          <earliest>$field3.earliest$</earliest>
          <latest>$field3.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
      </chart>
0 Karma
1 Solution

Communicator

The problem is you are changing the value of _time using a format of %m%y(right?). That way Splunk is not able to transfer the right value.

If you need this format for visualization, you can create a different field and format that.

index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse

Maybe you give this a try.

View solution in original post

0 Karma

Communicator

The problem is you are changing the value of _time using a format of %m%y(right?). That way Splunk is not able to transfer the right value.

If you need this format for visualization, you can create a different field and format that.

index=abc sourcetype=xyz
|dedup number
|bucket _time span=$field2$
|eval my_time=strftime(_time, "$BarChartFormat$")
|stats count by my_time
|tail 7
|eval Target=$IncidentTitle$
|reverse

Maybe you give this a try.

View solution in original post

0 Karma

Path Finder

Super Thanks ..!!

It worked. 🙂

0 Karma

SplunkTrust
SplunkTrust

@joydeep741, you are missing some really important details that would be required for us to assist you.
Can you give a sample value for
1) span=$field2$
2) fieldformat _time=strftime(_time, "$BarChartFormat$")

And what is your current <drilldown> code for the chart?
Have you printed the tokens using <html><panel> or <panel><title> section to see if they have expected values on drilldown?

There seems to be some issue with $latest$ and $row._span$ tokens (I am unable to find the question which had this answer. @rjthibod @frobinson Can you help?

Meanwhile the workaround will be to use $earilest$ and $earliest$+ $tokSpan$, where $tokSpan$ is in seconds coming from your Span dropdown.

<input type="dropdown" token="tokSpan" searchWhenChanged="true">
  <label>Select Span</label>
  <choice value="3600">Hourly</choice>
  <choice value="86400">Daily</choice>
  <default>3600</default>
</input>

Following is a run anywhere example which sets the earliest and latest token on chart drilldown and uses the same in another search

<form>
  <label>Timechart drilldown with String Time to Epoch</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tokSpan" searchWhenChanged="true">
      <label>Select Span</label>
      <choice value="3600">Hourly</choice>
      <choice value="86400">Daily</choice>
      <default>3600</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$tok_earliest$ - $tok_latest$ - $tok_span$</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd
| bin _time span=$tokSpan$
| stats count by _time
| reverse</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
        <drilldown>
          <set token="tok_earliest">$earliest$</set>
          <eval token="tok_latest">$earliest$+$tokSpan$</eval>
          <set token="tok_span">$tokSpan$</set>
        </drilldown>
      </chart>
    </panel>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd
| timechart count</query>
          <earliest>$tok_earliest$</earliest>
          <latest>$tok_latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">linear</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">Target</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">_aggregation</option>
      </chart>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Hi niketnilay,

1) span=$field2$

Values are like "1m", "1d", "1w" for month , day , week respectively.
2) fieldformat _time=strftime(_time, "$BarChartFormat$")
_time comes like
06-18
05-18
etc

My URL earliest and lastest values are like

earliest=06-18 latest=1530008118

This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"

0 Karma

Communicator

I tried your example. Had to make some assumptions due to different data. So I set span=1h and left out the Target-field (including the overlay).

Problem was then, that I got no data at all due to the _time-fieldformat, which I set to some date/time-string. During drill down I got no data, but - I also got no "invalid earliest_time" error.

You may have a look in the address field of your browser after doing the drilldown. My address contained:

earliest=1529996400.000&
latest=1529996400.001&

which of course are valid times. What's in your address?

0 Karma

Path Finder

Hi rvany,

My URL earliest and lastest values are like

earliest=06-18& latest=1530008118

This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"

0 Karma