Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Chart Drill Down changes Date time range

shayhibah
Path Finder
‎10-02-2018 02:05 AM

I have a dashboard with a chart inside it.

The query of the chart is:

base_search | eval _time = time| bucket _time span=24h | chart count over _time by app_risk| fields _time,Critical,High,Medium,Low

The drill down settings are: On Click=Link to Search & Auto.

When clicking on "High" category on specific date, I would like to see the events related to this combination of risk and date.

For some reason, I have no results after drilling down.

For example: I click on events from Sep 15 - I expect the rime range to be Sep 15 00:00:00,000 to Sep 15 23:59:59,999 but (!) the time range is Sep 15 00:00:00,000 to Sep 15 00:00:00,001

Can someone tell me why the results are not related to the specific column date?

0 Karma
Reply

HiroshiSatoh
Champion
‎10-02-2018 02:57 AM

The time range is set from _time of the result by default.
ex.
_time="9/16/18 3:00:00.000"

It is necessary to set the start and end time of each line in the search sentence and give it to the search sentence of the drill down etc.

ex.

  <link>
    <![CDATA[search?q=search index=XXX earliest="$row.earlest_time$" latest="$row.latest_time$" ]]>
  </link>
0 Karma
Reply

shayhibah
Path Finder
‎10-02-2018 03:46 AM

@HiroshiSatoh

Thanks for your response.
Unfortunately, it still gives me the same results - 9/16/18 3:00:00.000 AM to 9/16/18 3:00:00.001 AM.

Maybe the bucket in the query affect the results?

0 Karma
Reply

HiroshiSatoh
Champion
‎10-02-2018 04:16 AM

Did you make the following edits to the main search?

base_search | eval _time = time| bucket _time span=24h | chart count over _time by app_risk| fields _time,Critical,High,Medium,Low
| eval earlest_time=_time,latest_time=relative_time(_time,"+24h@h")
| fieldformat earlest_time=strftime(earlest_time,"%m/%d/%Y:%H:%M:%S") 
| fieldformat latest_time=strftime(latest_time,"%m/%d/%Y:%H:%M:%S")
0 Karma
Reply

shayhibah
Path Finder
‎10-02-2018 04:42 AM

Yes I did but it still gives me wrong date time range

0 Karma
Reply

HiroshiSatoh
Champion
‎10-02-2018 05:29 AM

Please check the search sentence generated from "Search job inspector". If start and end are correctly embedded, you should be able to search.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...