Splunk Search

Chart Drill Down changes Date time range

Path Finder

I have a dashboard with a chart inside it.

The query of the chart is:

base_search | eval _time = time| bucket _time span=24h | chart count over _time by app_risk| fields _time,Critical,High,Medium,Low

The drill down settings are: On Click=Link to Search & Auto.

When clicking on "High" category on specific date, I would like to see the events related to this combination of risk and date.

For some reason, I have no results after drilling down.

For example: I click on events from Sep 15 - I expect the rime range to be Sep 15 00:00:00,000 to Sep 15 23:59:59,999 but (!) the time range is Sep 15 00:00:00,000 to Sep 15 00:00:00,001

Can someone tell me why the results are not related to the specific column date?

0 Karma

Champion

The time range is set from _time of the result by default.
ex.
_time="9/16/18 3:00:00.000"

It is necessary to set the start and end time of each line in the search sentence and give it to the search sentence of the drill down etc.

ex.

  <link>
    <![CDATA[search?q=search index=XXX earliest="$row.earlest_time$" latest="$row.latest_time$" ]]>
  </link>
0 Karma

Path Finder

@HiroshiSatoh

Thanks for your response.
Unfortunately, it still gives me the same results - 9/16/18 3:00:00.000 AM to 9/16/18 3:00:00.001 AM.

Maybe the bucket in the query affect the results?

0 Karma

Champion

Did you make the following edits to the main search?

base_search | eval _time = time| bucket _time span=24h | chart count over _time by app_risk| fields _time,Critical,High,Medium,Low
| eval earlest_time=_time,latest_time=relative_time(_time,"+24h@h")
| fieldformat earlest_time=strftime(earlest_time,"%m/%d/%Y:%H:%M:%S") 
| fieldformat latest_time=strftime(latest_time,"%m/%d/%Y:%H:%M:%S")
0 Karma

Path Finder

Yes I did but it still gives me wrong date time range

0 Karma

Champion

Please check the search sentence generated from "Search job inspector". If start and end are correctly embedded, you should be able to search.

0 Karma