Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- help on timechart click value
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
01-17-2022
07:16 AM
hello
I use a click value token on my timechart in order to display details
it works but now what I need is when I click on a specific bar of my timechart (it means a bar for a specific day) I need to display only the data for this date
how to do this please
<search>
<query>index=tutu sourcetype=toto ezconf=$ezconf$
| timechart span=1d count(hang)as hang</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<drilldown>
<set token="hang">$click.value$</set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel depends="$hang$">
<title></title>
<table>
<title></title>
<search>
<query>index=toto sourcetype=tutu ezconf=$ezconf$
| eval time = strftime(_time, "%d-%m-%y %H:%M")
| sort - time
| table time hang</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
01-17-2022
08:34 AM
The earliest and latest values are available as tokens:
<drilldown>
<set token="earliest_tok">$earliest$</set>
<set token="latest_tok">$latest$</set>
</drilldown>You can use these tokens in your other visualization searches:
<search>
<query>index=toto sourcetype=tutu ezconf=$ezconf$
| eval time = strftime(_time, "%d-%m-%y %H:%M")
| sort - time
| table time hang</query>
<earliest>$earliest_tok$</earliest>
<latest>$latest_tok$</latest>
</search>You can initialize earliest_tok and latest_tok to default values using a time input or a combination of <init> and <set> tags.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
01-17-2022
08:34 AM
The earliest and latest values are available as tokens:
<drilldown>
<set token="earliest_tok">$earliest$</set>
<set token="latest_tok">$latest$</set>
</drilldown>You can use these tokens in your other visualization searches:
<search>
<query>index=toto sourcetype=tutu ezconf=$ezconf$
| eval time = strftime(_time, "%d-%m-%y %H:%M")
| sort - time
| table time hang</query>
<earliest>$earliest_tok$</earliest>
<latest>$latest_tok$</latest>
</search>You can initialize earliest_tok and latest_tok to default values using a time input or a combination of <init> and <set> tags.
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
