While using the drill-down from dashboard panel1 to panel2, I want to pass the Time from panel1 to panel1 when a user clicked on the selected row in panel.
I am displaying time in String format in panel1 and I want to pass time in the number format to panel2. For that I am using eval function in tokens.
eval time_number=strptime(time_number,"%Y%m%d %H:%M:%S").
But I am not getting the same time value to panel2 from panel while using the above eval. If I am passing the time in number directly from panel1 to panel2, I am able to see the same value to reflecting in the panel2. I don't want to show the time in number format in panel1.
Please let me know how it can be handled.
@potnuru
You can use different columns for both purposes.
Please check below XML for same. Here, _time_number
is used for time in number and time_number
is for time in readable format.
<dashboard>
<label>Panel to Panel</label>
<row>
<panel>
<table>
<title>Panel 1</title>
<search>
<query>| makeresults count=3 | eval Data=1 | accum Data | eval time_number=strftime(_time+Data,"%Y%m%d %H:%M:%S")
| rename comment as "Upto this is for data generation only"
| eval _time_number=strptime(time_number,"%Y%m%d %H:%M:%S") </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="clicked_value">$row._time_number$</set>
</drilldown>
<fields>Data</fields>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Panel 2</title>
<search>
<query>| makeresults | eval clicked_value="$clicked_value$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
@potnuru if your intent is to display human readable string time in the table however, drilldown using the epoch time, then there are four options you can use including the one suggested by @kamlesh_vaghela which is available as an example in the Splunk Dashboard Examples app on Splunkbase.
If you would notice all four tables in the screenshot below show time as string time in the table however, the drilldown token in the table title is epoch.
Option 1: if _time
is the first
field in table then use $click.value$
table drilldown token to access epoch time.
Option 2: the table <drilldown>
event handler can have <eval>
section to convert string time in the table and set token as epoch time.
Option 3: Create a separate field for epoch timestamp apart from string time stamp field for displaying in the table. Make the epoch timestamp field hidden by prefixing the field name with underscore character. In the example it is _hiddenTimeEpochForDrilldown
.
Option 4: hidden field through <fields>
<table>
Simple XML
configuration option. If out of 3 fields in the table only 2 are listed in the fields section then, third field is still available for drilldown but not displayed in the table. In the following example it is <fields>["time_number","data"]</fields>
. (Kamlesh also has posted same example.)
Following is a run anywhere dashboard with examples of all four approaches:
<dashboard>
<label>Table with Time Drilldown</label>
<row>
<panel>
<title>Option 1 - if _time is the first field in table then use click.value table drilldown token to access epoch time</title>
<table>
<title>Clicked row Time Epoch: $tokTimeNumberOption1$</title>
<search>
<query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| table _time data</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="tokTimeNumberOption1">$click.value$</set>
</drilldown>
</table>
</panel>
<panel>
<title>Option 2 - drilldown eval to set token as epoch</title>
<table>
<title>Clicked row Time Epoch: $tokTimeNumberOption2$</title>
<search>
<query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| rename _time as time_number
| table time_number data
| eval time_number=strftime(time_number,"%Y/%m/%d %H:%M:%S")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<eval token="tokTimeNumberOption2">strptime($row.time_number$,"%Y/%m/%d %H:%M:%S")</eval>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Option 3 - keep epoch time field hidden by prefixing fieldname with underscore and use for drilldown</title>
<table>
<title>Clicked row Time Epoch: $tokTimeNumberOption3$</title>
<search>
<query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| rename _time as time_number
| table time_number data
| eval _hiddenTimeEpochForDrilldown=time_number
| eval time_number=strftime(time_number,"%Y/%m/%d %H:%M:%S")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="tokTimeNumberOption3">$row._hiddenTimeEpochForDrilldown$</set>
</drilldown>
</table>
</panel>
<panel>
<title>Option 4 - hidden field through <fields> table SimpleXML configuration option</title>
<table>
<title>Clicked row Time Epoch: $tokTimeNumberOption4$</title>
<search>
<query>| makeresults count=5
| eval data=random(), data=substr(data,0,3), delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| rename _time as time_number
| table time_number data
| eval hiddenTimeEpochForDrilldown=time_number
| eval time_number=strftime(time_number,"%Y/%m/%d %H:%M:%S")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<fields>["time_number","data"]</fields>
<drilldown>
<set token="tokTimeNumberOption4">$row.hiddenTimeEpochForDrilldown$</set>
</drilldown>
</table>
</panel>
</row>
</dashboard>
Please try out and confirm. Hope at least one option works out for you! 🙂
Hi @niketnilay
Thank you so much for your explanation. It not only helped me in fulfilling my requirement but also It gave me the idea on how to deal with time tokens in different ways.
I liked the Option 2 in all the options, but there is one problem with the Option 2, it is changing the actual Time(Even though the _time is same in all the Panels 1,2,3,4 the Epoch time of Panel 2 is different). Could you please check and let me know how to deal with it.
@potnuru
You can use different columns for both purposes.
Please check below XML for same. Here, _time_number
is used for time in number and time_number
is for time in readable format.
<dashboard>
<label>Panel to Panel</label>
<row>
<panel>
<table>
<title>Panel 1</title>
<search>
<query>| makeresults count=3 | eval Data=1 | accum Data | eval time_number=strftime(_time+Data,"%Y%m%d %H:%M:%S")
| rename comment as "Upto this is for data generation only"
| eval _time_number=strptime(time_number,"%Y%m%d %H:%M:%S") </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="clicked_value">$row._time_number$</set>
</drilldown>
<fields>Data</fields>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Panel 2</title>
<search>
<query>| makeresults | eval clicked_value="$clicked_value$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
Thank you Kamlesh for your answer, but here my requirement is not to show the time_number in the panel1.
@potnuru
You can use <fields>
tag to restrict fields to be displayed in Panel 1. Please check below code in my updated answer and try.
<fields>Data</fields>
Please let me know It helps you or not
Yes we can restrict the fields to be displayed in the Panel1 but if we are not displaying the time_number in the Panel1 how can we pass that parameter to Panel2.
@potnuru
regardless displaying time_number
in table as a column, we can use $row.time_number$
to access time_number
field value. You have to just make sure you search should have time_number
field.
It's not working, if I am removing the field time_number from panel1 by using | fields - time_number command. Then I am not able to access $row.time_number$ token.
Yes @potnuru, Here you can see in my example _time_number
field. Create that field in your search and use in drilldown.
<drilldown>
<set token="clicked_value">$row._time_number$</set>
</drilldown>
It's working now Kamlesh. Thank you for the help.
All the time I'm thinking about the fields command in Search Query but not the tag as I'm completely unaware of it 🙂
Is it ? I will check and let you know whether it worked. Thank You.