Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard Studio earliest/latest tokens

Gregs1125
Loves-to-Learn
‎06-26-2024 01:10 PM

I'm trying to pass 3 tokens from panel 1 into panel 2, earliest time, latest time, and a basic field value.  I can get the earliest time and field value to work, but latest time always defaults to "now" no matter what I try.

Panel 1 is a stacked timechart over a three week period, each stack is one week.  The values in the stack are different closure statuses from my SIEM.  I want to be able to click on a closure status in a single week and see the details of just the statuses from that week in panel 2. (ex. Mon Jun 17-Sun Jun 23)   

Panel 1 looks like:

index=siem sourcetype=triage | eval _time=relative_time(_time,"@w1") ```so my stacks start on monday```
| timechart span=1w@w1 count by status WHERE max in top10 useother=false
| eval last=_time+604800  ```manually creating a latest time to use as token```


note: panel 1 is using a time input shared across most panels in the dashboard. (defaulting to 3 Mondays ago)

In Configuration > Interaction, I'm setting 3 tokens, status=name, earliest=row._time.value, and latest=row.last.value  

 

Panel 2 looks like:

index=siem sourcetype=triage earliest=$earliest$ latest=$latest$ | rest of search

 

When I click a status in week 1 (2 weeks ago) I get statuses for weeks 1, 2, and 3. (earliest and status token is working)

When I click a status in week 2 (1 weeks ago) I get statuses for weeks 2 and 3 (earliest and status token is working)

When I click a status in week 3 (current week) I get the current week.  (earliest and status token is working

Latest always defaults to now.

 

I've done something similar in the old dashboard, I eval'd the time modifiers while setting the token, but am much less familiar with json, not sure if this is a possibility.

What I had previously done: <eval token="earliest">$click.value$-3600</eval>

 

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-23-2024 10:18 PM

Your requirement isn't really clear.  Not to point to the obvious difference between last (set in first panel) and $latest$ (used in second panel), but are you sure you can even add an additional field in the first panel and still maintain your original timechart? (Hint: It will ruin it all; at least it will distort the chart.)

Another important question is: What is that $latest$ expected  supposed to be?  It seems that you want it to be the interactive token because you set it according to _time which varies by row.  I already mentioned that setting a new field after timechart will ruin your chart.  But in addition, Dashboard Studio has its own regiment to manage tokens.  You cannot set a variable in one search and call that variable with $$ and expect it to be a passable token.  This is the document about setting interactive token with search result: Setting tokens from search results or search job metadata.

Then, to add 1 week to the click value, run that result in another search. (Just like you would do in Simple XML.)  Lastly, use result from that search to drive the second panel.  Here is an example:

{
    "visualizations": {
        "viz_7yE1ZwsT": {
            "type": "splunk.line",
            "dataSources": {
                "primary": "ds_DmIKSSCN"
            },
            "title": "First panel",
            "eventHandlers": [
                {
                    "type": "drilldown.setToken",
                    "options": {
                        "tokens": [
                            {
                                "token": "latest_tok",
                                "key": "row._time.value"
                            }
                        ]
                    }
                }
            ],
            "options": {
                "legendDisplay": "top"
            }
        },
        "viz_OIqDnl0b": {
            "type": "splunk.line",
            "options": {
                "legendDisplay": "bottom"
            },
            "dataSources": {
                "primary": "ds_79fdaiuf"
            },
            "showProgressBar": false,
            "showLastUpdated": false
        }
    },
    "dataSources": {
        "ds_DmIKSSCN": {
            "type": "ds.search",
            "options": {
                "query": "| tstats count where index=_internal by _time span=1d sourcetype\n| timechart span=1d sum(count) by sourcetype\n| eval _last = relative_time(_time, \"+1w\")"
            },
            "name": "first panel"
        },
        "ds_79fdaiuf": {
            "type": "ds.search",
            "options": {
                "query": "index=_introspection latest=$make token:result.week_after$\n| timechart span=1d count by sourcetype"
            },
            "name": "dependent panel"
        },
        "ds_EHm1QhZI": {
            "type": "ds.search",
            "options": {
                "query": "| makeresults\n| eval week_after = relative_time($latest_tok$, \"+1w\")",
                "enableSmartSources": true
            },
            "name": "make token"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                    "queryParameters": {
                        "latest": "$global_time.latest$",
                        "earliest": "$global_time.earliest$"
                    }
                }
            }
        }
    },
    "inputs": {
        "input_global_trp": {
            "type": "input.timerange",
            "options": {
                "token": "global_time",
                "defaultValue": "-3w@w,now"
            },
            "title": "Global Time Range"
        }
    },
    "layout": {
        "type": "grid",
        "options": {
            "width": 1440,
            "height": 960
        },
        "structure": [
            {
                "item": "viz_7yE1ZwsT",
                "type": "block",
                "position": {
                    "x": 0,
                    "y": 0,
                    "w": 1440,
                    "h": 400
                }
            },
            {
                "item": "viz_OIqDnl0b",
                "type": "block",
                "position": {
                    "x": 0,
                    "y": 400,
                    "w": 1440,
                    "h": 400
                }
            }
        ],
        "globalInputs": [
            "input_global_trp"
        ]
    },
    "description": "https://community.splunk.com/t5/Splunk-Search/Dashboard-Studio-earliest-latest-tokens/m-p/691740",
    "title": "Pass time token"
}

In this dashboard, when you click a point on July 13 in the first panel, the second panel will end on July 20.  Is this something you are looking at?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-26-2024 01:35 PM

Try using different token names e.g. earliest_time and latest_time

0 Karma
Reply

Gregs1125
Loves-to-Learn
‎07-23-2024 08:26 AM

Thanks for replying, and sorry for the lengthy delay.  Metrics dashboards never seem to be the priority!

Changing the token names did not work, panel 2 doesn't load.  I continue to get the red ! in the top right, asking for "Set token value to render visualization" specifically for $latest_time$ (or whatever name variation I try).  

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...