Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to pass timechart _time to the another panel using drill downs

james_n
Path Finder
‎02-11-2019 09:23 PM

Hi,

i have a bar chart, Query is index=xxx sourcetype=xxx |timechart count. I am running this query today span. once i click on the bar, based on that particular time and count should be displayed in the another chart i.e, table

Query 1:iIndex=xxx sourcetype=xxx |timechart count 

 <drilldown>
      <set token="timetk">$click.name2$</set>
      <eval token="date1">strftime($click.value$,"%Y-%m-%d %H:%M")</eval>
    </drilldown>

Query 2: index=xxx sourcetype=xxx $date1$ | table _time some-field

when i run this, if it is last 24 hours or Today span , its not working properly,if bar showing 10AM count 10, once you click on it its taking 22:30 and if it is 10:30 AM, once you click on it, its taking 23:00, after 12PM count's, once you click on it, its considering next day like once you click on today i.e, Feb 11th 2PM, its taking tomorrow i.e, FEB 12th 2:30AM.

my time stamp is Could you plz help on this.

Tags (1)
0 Karma
Reply

whrg
Motivator
‎02-11-2019 11:42 PM

Hello @james_n,

Use the following drilldown in your first chart:

<option name="charting.drilldown">all</option>
<drilldown>
  <set token="earliest_tok">$earliest$</set>
  <set token="latest_tok">$latest$</set>
</drilldown>

Now your second query can access the time token as follows:

index=xxx sourcetype=xxx earliest=$earliest_tok$ latest=$latest_tok$ | ...

This would also work:

<table>
  <search>
    <query>index=_* sourcetype=* | ...</query>
    <earliest>$earliest_tok$</earliest>
    <latest>$latest_tok$</latest>
  </search>
  ...
0 Karma
Reply

james_n
Path Finder
‎02-12-2019 09:42 PM

Hi @whrg , thanks for replying, If i select last 7 days for first query, once i click on one bar, its taking earliest as day starting and latest as day starting to 1ms. like earliest as 02/12/2019 00:00:00.000 and latest as 02/12/2019 00:00:00.001. Can you plz help on this,thanks in advance.

0 Karma
Reply

whrg
Motivator
‎02-13-2019 12:34 AM

Hello @james_n, I just created this dashboard which is working fine for me. If I click on one of the bars then the second table shows events for this particular bar/day. Check it out:

<form>
  <label>Test</label>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd | timechart count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="earliest_tok">$earliest$</set>
          <set token="latest_tok">$latest$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd earliest=$earliest_tok$ latest=$latest_tok$ | bin _time span=10m | dedup _time | table _time,host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

james_n
Path Finder
‎02-13-2019 01:34 AM

Hi @whrg , once i clicked on bar earliest and latest is passing like this earliest=1549954800 latest=1549954800.001.

0 Karma
Reply

cblanton
Communicator
‎09-25-2019 09:53 PM

hi @james_n, did you ever figure this out? i'm having the same issue. i'm not using the time field directly in the timechart, but am passing it to a where statement in the query. i'm thinking that is why, because the method described above works whenever I use a timechart with a standard time implementation.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...