Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to build a form that does a drilldown to events around the selected event timestamp

yannK
Splunk Employee
Splunk Employee
‎09-27-2016 01:02 PM

How to build a form that does a drilldown to events around the selected event timestamp

1 - show a list of results
2 - click on one of them to select the timestamp
3 - populate a panel that will show the events from another search, but look at all events around the time of the selected one.

example : show me events 10 minutes before and after the selected one

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-27-2016 01:05 PM

see this dashboard.
We use the field "epochtime" (in seconds) from the first table to use as a drilldown condition.
the second panel is populated by a search that uses a subsearch to craft a condition looking 10 minutes earliest and 10 minutes latest around the epochtime

link text

<dashboard>
  <label>time-drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal source=*splunkd.log ERROR | head 10 
            | eval epochtime=_time | table source _time epochtime _raw</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="table.sortDirection">asc</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">false</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="wrap">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <drilldown>
          <set token="epochtime">$row.epochtime$</set>
        </drilldown>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <table depends="$epochtime$">
      <title>$epochtime$</title>
      <search>
        <query>index=_internal    [  
  search                              index=_internal 
| head 1  | eval earliest=$epochtime$ - 600 | eval latest= $epochtime$ + 600 
          | table earliest latest           | format "(" "(" "" ")" "OR" ")"              ]

| table _time source</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</dashboard>

View solution in original post

timedrilldownxml.zip
0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-27-2016 01:05 PM

see this dashboard.
We use the field "epochtime" (in seconds) from the first table to use as a drilldown condition.
the second panel is populated by a search that uses a subsearch to craft a condition looking 10 minutes earliest and 10 minutes latest around the epochtime

link text

<dashboard>
  <label>time-drilldown</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal source=*splunkd.log ERROR | head 10 
            | eval epochtime=_time | table source _time epochtime _raw</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="table.sortDirection">asc</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">false</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="wrap">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <drilldown>
          <set token="epochtime">$row.epochtime$</set>
        </drilldown>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <table depends="$epochtime$">
      <title>$epochtime$</title>
      <search>
        <query>index=_internal    [  
  search                              index=_internal 
| head 1  | eval earliest=$epochtime$ - 600 | eval latest= $epochtime$ + 600 
          | table earliest latest           | format "(" "(" "" ")" "OR" ")"              ]

| table _time source</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</dashboard>
timedrilldownxml.zip
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...