Solved: Re: $click.value2$ can't work with fieldformat

to4kawa · ‎08-09-2020

<dashboard>
  <label>drilldown time</label>
  <init>
    <unset token="epoch" />
    <unset token="human" />
  </init>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults |eval time=_time| fieldformat time=strftime(time,"%F %T")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <drilldown>
          <set token="epoch">$click.value2$</set>
          <eval token="human">strftime($epoch$,"%F%T")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <p>
          <h2>$epoch$</h2>
        </p>
        <p>
          <h2>$human$</h2>
        </p>
      </html>
    </panel>
  </row>
</dashboard>

- click _time, fine
- click time, not work

What else can I do besides rename X as _time?

bowesmana · ‎08-09-2020

Given that the fieldformat time is ISO, not epoch as expected, just reverse the strXtime logic

<dashboard>
  <label>drilldown time</label>
  <init>
    <unset token="epoch" />
    <unset token="human" />
  </init>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults |eval time=_time| fieldformat time=strftime(time,"%F %T")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <drilldown>
          <set token="epoch">$click.value2$</set>
          <eval token="human">strftime($epoch$,"%F %T")</eval>
          <set token="human2">$row.time$</set>
          <eval token="epoch2">strptime($human2$,"%F %T")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <p>
          <h2>EPOCH: $epoch$</h2>
        </p>
        <p>
          <h2>HUMAN: $human$</h2>
        </p>
        <p>
          <h2>EPOCH2: $epoch2$</h2>
        </p>
        <p>
          <h2>HUMAN2: $human2$</h2>
        </p>
      </html>
    </panel>
  </row>
</dashboard>

View solution in original post

bowesmana · ‎08-09-2020

Given that the fieldformat time is ISO, not epoch as expected, just reverse the strXtime logic

<dashboard>
  <label>drilldown time</label>
  <init>
    <unset token="epoch" />
    <unset token="human" />
  </init>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults |eval time=_time| fieldformat time=strftime(time,"%F %T")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <drilldown>
          <set token="epoch">$click.value2$</set>
          <eval token="human">strftime($epoch$,"%F %T")</eval>
          <set token="human2">$row.time$</set>
          <eval token="epoch2">strptime($human2$,"%F %T")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <p>
          <h2>EPOCH: $epoch$</h2>
        </p>
        <p>
          <h2>HUMAN: $human$</h2>
        </p>
        <p>
          <h2>EPOCH2: $epoch2$</h2>
        </p>
        <p>
          <h2>HUMAN2: $human2$</h2>
        </p>
      </html>
    </panel>
  </row>
</dashboard>

to4kawa · ‎08-10-2020

thanks @bowesmana
I want epoch time value and it displays human readable , and to get the original epoch value by drilldown.

I'm trying to figure out how to do this when there are multiple time fields.

It's easy to get it with human readable and convert it to epoch with strptime.

$click.value2$ can't work with fieldformat

drilldown

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

$click.value2$ can't work with fieldformat

drilldown

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!