I want to show event in drilldown for specific timestamp I click on in source dashboard table.
Please help me with this.
Hi @sachinbansal,
If you are having timechart and you want to see events related to point you click on it, follow below steps:
One thing you require to understand is that the point you see on timechart is not necessarily related to only one event. As timechart groups the event to limit the data points. For example if you choose Last 24 hours it groups the data in 1 hour of span and on drilldown you will see related events.
But if you want to use some other dashboard to panel to show you can use $earliest$
and $latest$
to get earliest value and latest value use it like below to drilldown.
<drilldown>
<link target="_blank">/app/my_app/new_dashboard?earliest=$earliest$&latest=$latest$</link>
</drilldown>
Hope this helps!!!
Hi @sachinbansal,
If you are having timechart and you want to see events related to point you click on it, follow below steps:
One thing you require to understand is that the point you see on timechart is not necessarily related to only one event. As timechart groups the event to limit the data points. For example if you choose Last 24 hours it groups the data in 1 hour of span and on drilldown you will see related events.
But if you want to use some other dashboard to panel to show you can use $earliest$
and $latest$
to get earliest value and latest value use it like below to drilldown.
<drilldown>
<link target="_blank">/app/my_app/new_dashboard?earliest=$earliest$&latest=$latest$</link>
</drilldown>
Hope this helps!!!
Hi,
I completely understand your point but my objective is different.
I have a table in source dashboard and when i click anywhere in any row it should shows the complete event of that selected row ( or you can say from which particular event those row values are extracted) in drilldown search. As in table i have statistical data but in drill down search i want that full event.
i have _time column in my table so i try to use '|where _time=$click.value$' but it is not working.
Thanks a lot!!
If you want to use click.value then _time field should be the first column of your table if it is not then use $row._time$ instead. And _time should not be in epoch format only not in string. If it is converted then you can try converting back to epoch format as suggested by @niketn in the comment with eval as <eval token="earliest_time">strptime($click.value$, <format of the string>)</eval>
.
<drilldown>
<eval token="latest_time">$click.value$+$row._span$</eval>
<link target="_blank">/app/my_app/search?q=index=_internal&earliest=$click.value$&latest=$latest_time$</link>
</drilldown>
@VatsalJagani - It worked. Thanks a lot 🙂
@sachinbansal - Nice to here that. Please approve and up-vote if you like it. So future user get benefit. Thanks!!!
Accepted your answer. Anything else i need to do?
No. Thanks a lot!!, If you like it up-vote the answer. I hope you are getting proper guidance from Splunk-Answers community.
yes. thanks
@sachinbansal if your ask is to get the earliest and latest from timechart table you can refer to the following workaround based answer https://answers.splunk.com/answers/587132/drilldown-pass-the-earliest-and-latest-from-a-time.html
<drilldown>
<eval token="drilldown.earliest">strptime($row._time$,"%Y-%m-%d %H:%M:%S")</eval>
<eval token="drilldown.latest">strptime($row._time$,"%Y-%m-%d %H:%M:%S") + $row._span$</eval>
</drilldown>
Hi Niketn,
I do not want to pass earliest and latest from timechart table. I want that when i click on any row in table it should drill down to that particular full event.
Regards,
Sachin
Hi sachinbansal,
I suggest to see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) where you can find very useful examples of hot to drilldown from a table.
Anyway, let me understand:
Correct?
If this is your request, you have to insert in the main dashboard, in your panel's source this section:
<drilldown>
<link target="_blank">/app/my_app/new_dashboard?_time=$click.value2$</link>
</drilldown>
Then in the secondary dashboard, you have to insert the token.
Bye.
Giuseppe
Hi Giuseppe,
When i click on table row it then in drilldown it should show me that event in full.
Regards,
Sachin
More information would be helpful, but it could be as simple as passing $row._time$
to your drilldown search.
i tried "where _time=$clicked.value$(where i click on timestamp)" in drilldwon search but it is not working.
@richgalloway - how do i pass that ?
The correct term is $click.value$
, but that assumes the user clicked on a cell with a time in it. That's why is suggested `$row._time$. See https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/DrilldownIntro for more.