Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use Time format picker

sahana
Engager
‎02-20-2022 10:24 PM

Hi,

i have an requirement as like below.

TimeStamp LoginUsers Avg SLA Min SLA  Max SLA
20-02-2022 11:30 35 1 1 3.4
20-02-2022 11:45 40 1.3 1 5.3
20-02-2022 12:00 32 2.4 1 7.6
20-02-2022 12:15 53 1.2 1 4.2
20-02-2022 12:30 44 2.3 1 3.5

 

I have an above dashboard panel which was showing up on 15minutes span. Onclick of max SLA we are suppose to get the particular splunk log event in new tab. may  i know how we can work on this.

Labels (1)
Labels
0 Karma
Reply

tshah-splunk
Splunk Employee
Splunk Employee
‎02-22-2022 05:01 AM

Additionally, if you want to have the event opened up in a new tab upon clicking on the SLA value in the table, you will need to define drilldown and link it to a search. You can find the related information here - https://docs.splunk.com/Documentation/Splunk/8.2.4/Viz/DrilldownLinkToSearch 

Be sure of using variables like $click.value$ and $click.value2$ while using drilldown to achieve proper use case

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2022 10:39 PM

Hi @sahana,

I don't know how you want to calculate avg, max and min, if you could share some additional info (e.g. examples of your logs and the aggregation logic) I could help you better in this,.

Anyway, the approach is to bin your events using the bin command and then use the stats command.

So, if you have a duration value in your events, you could run a stats command like this:

index=your_index
| bin span=15m _time
| stats count AS LoginUsers avg(duration) AS "Avg SLA" min(duration) AS "Min SLA" max(duration) AS "Max SLA" BY _time
| TimeStamp=strftime(_time,"%d-%m-%Y %H:%M")
| table TimeStamp LoginUsers "Avg SLA" "Min SLA" "Max SLA"

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...