Running Splunk 6.3.10
I'm running into an issue trying pass a custom time to a drilldown for a table. The search runs over the Last 24 Hours, and has events with a _time field. I want the tracker_drilldown form to run all of its searches based on the 30 minutes leading up to the _time field for the row I'm clicking on.
I've attempted that with the following, $click.value$ is the _time value of the row I'm clicking on:
<drilldown target="blank">
<eval token="e">tonumber($click.value$-1800)</eval>
<link>
<![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
</link>
</drilldown>
I'm trying to build a timestamp 1800 seconds before the end of the time range, but when tracker_drilldown gets pulled up, the Earliest time in the time picker is simply $e$.
Any ideas what is wrong with the eval expression that it isn't properly creating the token to use in the form?
Additional Info:
Here is a simplified representation of what the table I'm driving off of contains:
_time..............................Account_Domain....................TIME
2017-06-30 22:22:00......CORPTST.................................1498875720
Excuse my poor formatting, couldn't get the HTML I was trying to show up
There are a couple of things slightly off and another matter you have to prevent.
Reference docs: https://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/EventHandlerReference#Drilldown_event_tokens
First, everyone should note that $click.value$
only applies if a person clicks on the chart (not the legend) and it represents the value of _time
at the beginning of the time bucket segment. If you look at the reference doc above, you will note that the table also says you can use $earliest$
and $latest$
to get the beginning and end times for the chart time segment you click on.
So, you can use either $click.value$
or $earliest$
to get the proper start time before doing the offset, but you have to also prevent the user from clicking on the legend. To do that, see the second half of my post here: https://answers.splunk.com/answers/33543/disable-chart-legend-drilldown-keep-chart-cell-drilldown.ht...
Basically, you ignore the user's drilldown if the field $row._span$
does not exist when dealing with proper timecharts.
So, putting this altogether, a working solution should hopefully look like the following. I always use the $earliest$
token in this kind of use case because I know what the output format is. I don't think you get that guarantee with $click.value$
but I could b be wrong.
<drilldown target="_blank">
<condition match="isnotnull('row._span')">
<eval token="e">$earliest$ - 1800</eval>
<link>
<![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
</link>
</condition>
<condition></condition>
</drilldown>
There are a couple of things slightly off and another matter you have to prevent.
Reference docs: https://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/EventHandlerReference#Drilldown_event_tokens
First, everyone should note that $click.value$
only applies if a person clicks on the chart (not the legend) and it represents the value of _time
at the beginning of the time bucket segment. If you look at the reference doc above, you will note that the table also says you can use $earliest$
and $latest$
to get the beginning and end times for the chart time segment you click on.
So, you can use either $click.value$
or $earliest$
to get the proper start time before doing the offset, but you have to also prevent the user from clicking on the legend. To do that, see the second half of my post here: https://answers.splunk.com/answers/33543/disable-chart-legend-drilldown-keep-chart-cell-drilldown.ht...
Basically, you ignore the user's drilldown if the field $row._span$
does not exist when dealing with proper timecharts.
So, putting this altogether, a working solution should hopefully look like the following. I always use the $earliest$
token in this kind of use case because I know what the output format is. I don't think you get that guarantee with $click.value$
but I could b be wrong.
<drilldown target="_blank">
<condition match="isnotnull('row._span')">
<eval token="e">$earliest$ - 1800</eval>
<link>
<![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
</link>
</condition>
<condition></condition>
</drilldown>
Hey rjthibod, unfortunately the panel I'm working off of is a table, and using earliest will default to the beginning of the search window as it is not a chart. I appreciate the other info though!
Can you share then what your data actually looks like? Especially how the time field is represented in the table.
Sure thing, additional info added in the main question. The closest I have been able to get to is:
<drilldown target="blank">
<eval token="e">relative_time($row.TIME$,"-30m")</eval>
<link>
<![CDATA[tenable_tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
</link>
</drilldown>
Which is now properly passing the token of $e$ into the drilldown's time picker earliest field, however the value that is getting passed is simply -1800, it doesn't look like it is properly reading $row.TIME$ (or $click.value$ or $row._time$ when I tried with those) as an epochtime and applying the subtraction to it before passing it over.
what happens if you use <eval token="e">$row._time$ - 1800</eval>
?
$row._time$
$row.TIME$
and $click.value$
with -1800 all get me back to the token of $e$ not being properly formed, and passing over to the time picker simply as "$e$" which is an invalid input. This one has really got me stumped...
Two questions, how do you calculate TIME
and what is the drilldown option setting on your table?
@rjthibod.. I think this is good point. If TIME in table is string time created from strftime then it will be in string format.
@cmbusse, if you have used something like following to come up with the Time field,
| eval Time=strftime(_time,"%Y/%m/%d %H:%M:%S")
Then use fieldformat instead, this will Display _time as String time however its underlying value will be epochtime:
| fieldformat _time=strftime(_time,"%Y/%m/%d %H:%M:%S")
PS, string date format may change as per your use case.
Once you ensure _time field is present in your table and it is the first column then $click.value$ should work event if it is not the first column then you can use $row._time$ instead.
TIME is calculated as so:
| eval TIME=_time
Right now the Drilldown option for the panel is set to Row, but I've tried it with Cell as well to the same result.
I think I got it. Stupid issue in 6.3.
<eval token="e">'row.TIME' - 1800</eval>
You use the single ticks instead of the dollar sign.
@rtjhibod holy moly it worked, that is incredibly frustrating that it comes down to something this small. Really appreciate the help from both you and @niketnilay !!!
Yea, crazy frustrating. If you are coming to Splunk .conf 2017, you can see my talk on the ins-and-outs of tokens. This akin to some of the things I will talk about.
@cmbusse, if your latest time is getting picked up correctly using $click.value$, you should try to use relative_time()
function within eval tag to set earliest time token to 30 minutes prior)
<eval token="e">relative_time($click.value$,"-30min")</eval>
Please try out an confirm.
I think you're on to something, but it still isn't 100% of the way there. Using your recommendation, $e$ is properly passing to the time picker in the drilldown, however it is passing as the following:
Advanced
Earliest: Latest:
-1800 1498875720.000 (This is the proper value still)
So it looks like $e$ is actually passing now, but that it isn't interpreting $click.value$ properly as an epochtime. I've tried adding in an additional column to the table that is just the flat epochtime and passing that to the relative_time, but still having the same issue. Any ideas why the relative_time might not be picking up that first variable as an epochtime field?
Do you have _time field in the table? Is it the first column of the table? If not have what is the time field name in your table?
Indeed _time is the first column of the table, there's an example of the table the drilldown is on in the main question above.
can you try $click.value2$
instead? have you put <form script="showtokens.js">
to see if the tokens are created properly?
$click.value$
will include "Value of the left-most column in the clicked row." which in this case is my _time field, where as $click.value2$
will include "Value of the clicked column." which could be anything the user clicks on.
Unfortunately I can't include that script as I work in a large enterprise and getting that enabled would take a good bit of time.