Getting Data In
Highlighted

Simple XML: How to pass timestamps to a drilldown?

Explorer

Running Splunk 6.3.10

I'm running into an issue trying pass a custom time to a drilldown for a table. The search runs over the Last 24 Hours, and has events with a time field. I want the trackerdrilldown form to run all of its searches based on the 30 minutes leading up to the _time field for the row I'm clicking on.

I've attempted that with the following, $click.value$ is the _time value of the row I'm clicking on:

<drilldown target="blank">
  <eval token="e">tonumber($click.value$-1800)</eval>
  <link>
    <![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
  </link>
</drilldown>

I'm trying to build a timestamp 1800 seconds before the end of the time range, but when tracker_drilldown gets pulled up, the Earliest time in the time picker is simply $e$.

Any ideas what is wrong with the eval expression that it isn't properly creating the token to use in the form?


Additional Info:

Here is a simplified representation of what the table I'm driving off of contains:
time..............................AccountDomain....................TIME
2017-06-30 22:22:00......CORPTST.................................1498875720

Excuse my poor formatting, couldn't get the HTML I was trying to show up

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Super Champion

can you try $click.value2$ instead? have you put <form script="showtokens.js"> to see if the tokens are created properly?

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Explorer

$click.value$ will include "Value of the left-most column in the clicked row." which in this case is my _time field, where as $click.value2$ will include "Value of the clicked column." which could be anything the user clicks on.

Unfortunately I can't include that script as I work in a large enterprise and getting that enabled would take a good bit of time.

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Legend

@cmbusse, if your latest time is getting picked up correctly using $click.value$, you should try to use relative_time() function within eval tag to set earliest time token to 30 minutes prior)

  <eval token="e">relative_time($click.value$,"-30min")</eval>

Please try out an confirm.

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Explorer

I think you're on to something, but it still isn't 100% of the way there. Using your recommendation, $e$ is properly passing to the time picker in the drilldown, however it is passing as the following:

Advanced
Earliest: Latest:
-1800 1498875720.000 (This is the proper value still)

So it looks like $e$ is actually passing now, but that it isn't interpreting $click.value$ properly as an epochtime. I've tried adding in an additional column to the table that is just the flat epochtime and passing that to the relativetime, but still having the same issue. Any ideas why the relativetime might not be picking up that first variable as an epochtime field?

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Legend

Do you have _time field in the table? Is it the first column of the table? If not have what is the time field name in your table?

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Explorer

Indeed _time is the first column of the table, there's an example of the table the drilldown is on in the main question above.

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Champion

There are a couple of things slightly off and another matter you have to prevent.

Reference docs: https://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/EventHandlerReference#Drilldown_event_tokens

First, everyone should note that $click.value$ only applies if a person clicks on the chart (not the legend) and it represents the value of _time at the beginning of the time bucket segment. If you look at the reference doc above, you will note that the table also says you can use $earliest$ and $latest$ to get the beginning and end times for the chart time segment you click on.

So, you can use either $click.value$ or $earliest$ to get the proper start time before doing the offset, but you have to also prevent the user from clicking on the legend. To do that, see the second half of my post here: https://answers.splunk.com/answers/33543/disable-chart-legend-drilldown-keep-chart-cell-drilldown.ht...

Basically, you ignore the user's drilldown if the field $row._span$ does not exist when dealing with proper timecharts.

So, putting this altogether, a working solution should hopefully look like the following. I always use the $earliest$ token in this kind of use case because I know what the output format is. I don't think you get that guarantee with $click.value$ but I could b be wrong.

<drilldown target="_blank">
  <condition match="isnotnull('row._span')">
    <eval token="e">$earliest$ - 1800</eval>
   <link>
     <![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]>
   </link>
  </condition>
  <condition></condition>
</drilldown>

View solution in original post

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Explorer

Hey rjthibod, unfortunately the panel I'm working off of is a table, and using earliest will default to the beginning of the search window as it is not a chart. I appreciate the other info though!

0 Karma
Highlighted

Re: Simple XML: How to pass timestamps to a drilldown?

Champion

Can you share then what your data actually looks like? Especially how the time field is represented in the table.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.