Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to pass timechart _time to the another panel using drill downs

james_n
Path Finder
‎02-11-2019 09:23 PM

Hi,

i have a bar chart, Query is index=xxx sourcetype=xxx |timechart count. I am running this query today span. once i click on the bar, based on that particular time and count should be displayed in the another chart i.e, table

Query 1:iIndex=xxx sourcetype=xxx |timechart count 

 <drilldown>
      <set token="timetk">$click.name2$</set>
      <eval token="date1">strftime($click.value$,"%Y-%m-%d %H:%M")</eval>
    </drilldown>

Query 2: index=xxx sourcetype=xxx $date1$ | table _time some-field

when i run this, if it is last 24 hours or Today span , its not working properly,if bar showing 10AM count 10, once you click on it its taking 22:30 and if it is 10:30 AM, once you click on it, its taking 23:00, after 12PM count's, once you click on it, its considering next day like once you click on today i.e, Feb 11th 2PM, its taking tomorrow i.e, FEB 12th 2:30AM.

my time stamp is Could you plz help on this.

Tags (1)
0 Karma
Reply

whrg
Motivator
‎02-11-2019 11:42 PM

Hello @james_n,

Use the following drilldown in your first chart:

<option name="charting.drilldown">all</option>
<drilldown>
  <set token="earliest_tok">$earliest$</set>
  <set token="latest_tok">$latest$</set>
</drilldown>

Now your second query can access the time token as follows:

index=xxx sourcetype=xxx earliest=$earliest_tok$ latest=$latest_tok$ | ...

This would also work:

<table>
  <search>
    <query>index=_* sourcetype=* | ...</query>
    <earliest>$earliest_tok$</earliest>
    <latest>$latest_tok$</latest>
  </search>
  ...
0 Karma
Reply

james_n
Path Finder
‎02-12-2019 09:42 PM

Hi @whrg , thanks for replying, If i select last 7 days for first query, once i click on one bar, its taking earliest as day starting and latest as day starting to 1ms. like earliest as 02/12/2019 00:00:00.000 and latest as 02/12/2019 00:00:00.001. Can you plz help on this,thanks in advance.

0 Karma
Reply

whrg
Motivator
‎02-13-2019 12:34 AM

Hello @james_n, I just created this dashboard which is working fine for me. If I click on one of the bars then the second table shows events for this particular bar/day. Check it out:

<form>
  <label>Test</label>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd | timechart count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="earliest_tok">$earliest$</set>
          <set token="latest_tok">$latest$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd earliest=$earliest_tok$ latest=$latest_tok$ | bin _time span=10m | dedup _time | table _time,host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

james_n
Path Finder
‎02-13-2019 01:34 AM

Hi @whrg , once i clicked on bar earliest and latest is passing like this earliest=1549954800 latest=1549954800.001.

0 Karma
Reply

cblanton
Communicator
‎09-25-2019 09:53 PM

hi @james_n, did you ever figure this out? i'm having the same issue. i'm not using the time field directly in the timechart, but am passing it to a where statement in the query. i'm thinking that is why, because the method described above works whenever I use a timechart with a standard time implementation.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...