Getting Data In

Simple XML: How to pass timestamps to a drilldown?

cmbusse
Explorer

Running Splunk 6.3.10

I'm running into an issue trying pass a custom time to a drilldown for a table. The search runs over the Last 24 Hours, and has events with a _time field. I want the tracker_drilldown form to run all of its searches based on the 30 minutes leading up to the _time field for the row I'm clicking on.

I've attempted that with the following, $click.value$ is the _time value of the row I'm clicking on:

<drilldown target="blank">
  <eval token="e">tonumber($click.value$-1800)</eval>
  <link>
    <![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
  </link>
</drilldown>

I'm trying to build a timestamp 1800 seconds before the end of the time range, but when tracker_drilldown gets pulled up, the Earliest time in the time picker is simply $e$.

Any ideas what is wrong with the eval expression that it isn't properly creating the token to use in the form?


Additional Info:

Here is a simplified representation of what the table I'm driving off of contains:
_time..............................Account_Domain....................TIME
2017-06-30 22:22:00......CORPTST.................................1498875720

Excuse my poor formatting, couldn't get the HTML I was trying to show up

0 Karma
1 Solution

rjthibod
Champion

There are a couple of things slightly off and another matter you have to prevent.

Reference docs: https://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/EventHandlerReference#Drilldown_event_tokens

First, everyone should note that $click.value$ only applies if a person clicks on the chart (not the legend) and it represents the value of _time at the beginning of the time bucket segment. If you look at the reference doc above, you will note that the table also says you can use $earliest$ and $latest$ to get the beginning and end times for the chart time segment you click on.

So, you can use either $click.value$ or $earliest$ to get the proper start time before doing the offset, but you have to also prevent the user from clicking on the legend. To do that, see the second half of my post here: https://answers.splunk.com/answers/33543/disable-chart-legend-drilldown-keep-chart-cell-drilldown.ht...

Basically, you ignore the user's drilldown if the field $row._span$ does not exist when dealing with proper timecharts.

So, putting this altogether, a working solution should hopefully look like the following. I always use the $earliest$ token in this kind of use case because I know what the output format is. I don't think you get that guarantee with $click.value$ but I could b be wrong.

<drilldown target="_blank">
  <condition match="isnotnull('row._span')">
    <eval token="e">$earliest$ - 1800</eval>
   <link>
     <![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
   </link>
  </condition>
  <condition></condition>
</drilldown>

View solution in original post

0 Karma

rjthibod
Champion

There are a couple of things slightly off and another matter you have to prevent.

Reference docs: https://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/EventHandlerReference#Drilldown_event_tokens

First, everyone should note that $click.value$ only applies if a person clicks on the chart (not the legend) and it represents the value of _time at the beginning of the time bucket segment. If you look at the reference doc above, you will note that the table also says you can use $earliest$ and $latest$ to get the beginning and end times for the chart time segment you click on.

So, you can use either $click.value$ or $earliest$ to get the proper start time before doing the offset, but you have to also prevent the user from clicking on the legend. To do that, see the second half of my post here: https://answers.splunk.com/answers/33543/disable-chart-legend-drilldown-keep-chart-cell-drilldown.ht...

Basically, you ignore the user's drilldown if the field $row._span$ does not exist when dealing with proper timecharts.

So, putting this altogether, a working solution should hopefully look like the following. I always use the $earliest$ token in this kind of use case because I know what the output format is. I don't think you get that guarantee with $click.value$ but I could b be wrong.

<drilldown target="_blank">
  <condition match="isnotnull('row._span')">
    <eval token="e">$earliest$ - 1800</eval>
   <link>
     <![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
   </link>
  </condition>
  <condition></condition>
</drilldown>
0 Karma

cmbusse
Explorer

Hey rjthibod, unfortunately the panel I'm working off of is a table, and using earliest will default to the beginning of the search window as it is not a chart. I appreciate the other info though!

0 Karma

rjthibod
Champion

Can you share then what your data actually looks like? Especially how the time field is represented in the table.

0 Karma

cmbusse
Explorer

Sure thing, additional info added in the main question. The closest I have been able to get to is:

        <drilldown target="blank">
          <eval token="e">relative_time($row.TIME$,"-30m")</eval>
          <link>
            <![CDATA[tenable_tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
          </link>
        </drilldown>

Which is now properly passing the token of $e$ into the drilldown's time picker earliest field, however the value that is getting passed is simply -1800, it doesn't look like it is properly reading $row.TIME$ (or $click.value$ or $row._time$ when I tried with those) as an epochtime and applying the subtraction to it before passing it over.

0 Karma

rjthibod
Champion

what happens if you use <eval token="e">$row._time$ - 1800</eval>?

0 Karma

cmbusse
Explorer

$row._time$ $row.TIME$ and $click.value$ with -1800 all get me back to the token of $e$ not being properly formed, and passing over to the time picker simply as "$e$" which is an invalid input. This one has really got me stumped...

0 Karma

rjthibod
Champion

Two questions, how do you calculate TIME and what is the drilldown option setting on your table?

0 Karma

niketn
Legend

@rjthibod.. I think this is good point. If TIME in table is string time created from strftime then it will be in string format.

@cmbusse, if you have used something like following to come up with the Time field,

  | eval Time=strftime(_time,"%Y/%m/%d %H:%M:%S")

Then use fieldformat instead, this will Display _time as String time however its underlying value will be epochtime:

 | fieldformat _time=strftime(_time,"%Y/%m/%d %H:%M:%S")

PS, string date format may change as per your use case.
Once you ensure _time field is present in your table and it is the first column then $click.value$ should work event if it is not the first column then you can use $row._time$ instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

cmbusse
Explorer

TIME is calculated as so:

| eval TIME=_time

Right now the Drilldown option for the panel is set to Row, but I've tried it with Cell as well to the same result.

0 Karma

rjthibod
Champion

I think I got it. Stupid issue in 6.3.

<eval token="e">'row.TIME' - 1800</eval>

You use the single ticks instead of the dollar sign.

cmbusse
Explorer

@rtjhibod holy moly it worked, that is incredibly frustrating that it comes down to something this small. Really appreciate the help from both you and @niketnilay !!!

0 Karma

rjthibod
Champion

Yea, crazy frustrating. If you are coming to Splunk .conf 2017, you can see my talk on the ins-and-outs of tokens. This akin to some of the things I will talk about.

0 Karma

niketn
Legend

@cmbusse, if your latest time is getting picked up correctly using $click.value$, you should try to use relative_time() function within eval tag to set earliest time token to 30 minutes prior)

  <eval token="e">relative_time($click.value$,"-30min")</eval>

Please try out an confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cmbusse
Explorer

I think you're on to something, but it still isn't 100% of the way there. Using your recommendation, $e$ is properly passing to the time picker in the drilldown, however it is passing as the following:

Advanced
Earliest: Latest:
-1800 1498875720.000 (This is the proper value still)

So it looks like $e$ is actually passing now, but that it isn't interpreting $click.value$ properly as an epochtime. I've tried adding in an additional column to the table that is just the flat epochtime and passing that to the relative_time, but still having the same issue. Any ideas why the relative_time might not be picking up that first variable as an epochtime field?

0 Karma

niketn
Legend

Do you have _time field in the table? Is it the first column of the table? If not have what is the time field name in your table?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cmbusse
Explorer

Indeed _time is the first column of the table, there's an example of the table the drilldown is on in the main question above.

0 Karma

cmerriman
Super Champion

can you try $click.value2$ instead? have you put <form script="showtokens.js"> to see if the tokens are created properly?

0 Karma

cmbusse
Explorer

$click.value$ will include "Value of the left-most column in the clicked row." which in this case is my _time field, where as $click.value2$ will include "Value of the clicked column." which could be anything the user clicks on.

Unfortunately I can't include that script as I work in a large enterprise and getting that enabled would take a good bit of time.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...