Running Splunk 6.3.10
I'm running into an issue trying pass a custom time to a drilldown for a table. The search runs over the Last 24 Hours, and has events with a time field. I want the trackerdrilldown form to run all of its searches based on the 30 minutes leading up to the _time field for the row I'm clicking on.
I've attempted that with the following, $click.value$ is the _time value of the row I'm clicking on:
<drilldown target="blank"> <eval token="e">tonumber($click.value$-1800)</eval> <link> <![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]> </link> </drilldown>
I'm trying to build a timestamp 1800 seconds before the end of the time range, but when tracker_drilldown gets pulled up, the Earliest time in the time picker is simply $e$.
Any ideas what is wrong with the eval expression that it isn't properly creating the token to use in the form?
Here is a simplified representation of what the table I'm driving off of contains:
Excuse my poor formatting, couldn't get the HTML I was trying to show up
can you try
$click.value2$ instead? have you put
<form script="showtokens.js"> to see if the tokens are created properly?
$click.value$ will include "Value of the left-most column in the clicked row." which in this case is my _time field, where as
$click.value2$ will include "Value of the clicked column." which could be anything the user clicks on.
Unfortunately I can't include that script as I work in a large enterprise and getting that enabled would take a good bit of time.
@cmbusse, if your latest time is getting picked up correctly using $click.value$, you should try to use
relative_time() function within eval tag to set earliest time token to 30 minutes prior)
Please try out an confirm.
I think you're on to something, but it still isn't 100% of the way there. Using your recommendation, $e$ is properly passing to the time picker in the drilldown, however it is passing as the following:
-1800 1498875720.000 (This is the proper value still)
So it looks like $e$ is actually passing now, but that it isn't interpreting $click.value$ properly as an epochtime. I've tried adding in an additional column to the table that is just the flat epochtime and passing that to the relativetime, but still having the same issue. Any ideas why the relativetime might not be picking up that first variable as an epochtime field?
Do you have _time field in the table? Is it the first column of the table? If not have what is the time field name in your table?
Indeed _time is the first column of the table, there's an example of the table the drilldown is on in the main question above.
There are a couple of things slightly off and another matter you have to prevent.
First, everyone should note that
$click.value$ only applies if a person clicks on the chart (not the legend) and it represents the value of
_time at the beginning of the time bucket segment. If you look at the reference doc above, you will note that the table also says you can use
$latest$ to get the beginning and end times for the chart time segment you click on.
So, you can use either
$earliest$ to get the proper start time before doing the offset, but you have to also prevent the user from clicking on the legend. To do that, see the second half of my post here: https://answers.splunk.com/answers/33543/disable-chart-legend-drilldown-keep-chart-cell-drilldown.ht...
Basically, you ignore the user's drilldown if the field
$row._span$ does not exist when dealing with proper timecharts.
So, putting this altogether, a working solution should hopefully look like the following. I always use the
$earliest$ token in this kind of use case because I know what the output format is. I don't think you get that guarantee with
$click.value$ but I could b be wrong.
<drilldown target="_blank"> <condition match="isnotnull('row._span')"> <eval token="e">$earliest$ - 1800</eval> <link> <![CDATA[tracker_drilldown?form.user=$row.user$&form.time.latest=$click.value$&form.time.earliest=$e$]]> </link> </condition> <condition></condition> </drilldown>
Hey rjthibod, unfortunately the panel I'm working off of is a table, and using earliest will default to the beginning of the search window as it is not a chart. I appreciate the other info though!
Can you share then what your data actually looks like? Especially how the time field is represented in the table.