Splunk Search

Clicking on stats count chart does not show results due to formatting

rijk
Explorer

When I create a graph plotting the delay in a message using count by delay:
eval Delay = strptime(Time, "%H:%M:%S") - strptime(substr(MessageTime, -4), "%H%M") | fieldformat Delay=substr(tostring(Delay,"duration"),1,8) | stats count by Delay

The graph looks ok, but when I click on a value, no events are shown. Splunk adds e.g. Delay="00:02:17" to the search, but the original Delay was in seconds and it should add Delay="137.000000" to the search. Is there a way to click on the graph but keep the ability to format the representation?

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

If you put the chart in a dashboard, you can set "dynamic drilldown" - this allows you to control what happens when you click. You can control exactly what is displayed when the user clicks, opening another search, another chart, etc.

Here is a link to the documentation: Dynamic Drilldown in dashboards and forms

There are also a lot of questions about "drilldown" in this forum, just watch the date and distinguish between versions of Splunk!

View solution in original post

0 Karma

lguinn2
Legend

If you put the chart in a dashboard, you can set "dynamic drilldown" - this allows you to control what happens when you click. You can control exactly what is displayed when the user clicks, opening another search, another chart, etc.

Here is a link to the documentation: Dynamic Drilldown in dashboards and forms

There are also a lot of questions about "drilldown" in this forum, just watch the date and distinguish between versions of Splunk!

0 Karma
Get Updates on the Splunk Community!

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...