How to build a form that does a drilldown to events around the selected event timestamp
1 - show a list of results
2 - click on one of them to select the timestamp
3 - populate a panel that will show the events from another search, but look at all events around the time of the selected one.
example : show me events 10 minutes before and after the selected one
see this dashboard.
We use the field "epochtime" (in seconds) from the first table to use as a drilldown condition.
the second panel is populated by a search that uses a subsearch to craft a condition looking 10 minutes earliest and 10 minutes latest around the epochtime
<dashboard>
<label>time-drilldown</label>
<row>
<panel>
<table>
<search>
<query>index=_internal source=*splunkd.log ERROR | head 10
| eval epochtime=_time | table source _time epochtime _raw</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<option name="table.sortDirection">asc</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<drilldown>
<set token="epochtime">$row.epochtime$</set>
</drilldown>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<table depends="$epochtime$">
<title>$epochtime$</title>
<search>
<query>index=_internal [
search index=_internal
| head 1 | eval earliest=$epochtime$ - 600 | eval latest= $epochtime$ + 600
| table earliest latest | format "(" "(" "" ")" "OR" ")" ]
| table _time source</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</row>
</dashboard>
see this dashboard.
We use the field "epochtime" (in seconds) from the first table to use as a drilldown condition.
the second panel is populated by a search that uses a subsearch to craft a condition looking 10 minutes earliest and 10 minutes latest around the epochtime
<dashboard>
<label>time-drilldown</label>
<row>
<panel>
<table>
<search>
<query>index=_internal source=*splunkd.log ERROR | head 10
| eval epochtime=_time | table source _time epochtime _raw</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<option name="table.sortDirection">asc</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<drilldown>
<set token="epochtime">$row.epochtime$</set>
</drilldown>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<table depends="$epochtime$">
<title>$epochtime$</title>
<search>
<query>index=_internal [
search index=_internal
| head 1 | eval earliest=$epochtime$ - 600 | eval latest= $epochtime$ + 600
| table earliest latest | format "(" "(" "" ")" "OR" ")" ]
| table _time source</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</row>
</dashboard>