Splunk Search

Drill down time from drill down editor to another applet

clintla
Contributor

What I want to do is pass a start/end time to a table from my linechart.

On my line chart- if I click  a time in the chart- it passes the clicked time perfectly.

I'd like to pass that end time & then create a start time that is 5 days earlier as tokens to drill down to a time frame.

If I use the drill down editor & use the EVAL to set time-432000 (5DAYBEFORE) then the eval doesnt work

(get "No results found")

If I convert my 5DAYBEFORE to a human readible & table it.. it shows exactly the date I want to see but if I use the token in the time picker- something goes wrong.

I cant really see anything in the documentation to help w/ this example. I was hoping I could click twice & get earliest & latest & pass those 2 to my table.

Is there an easy way to drill down time tokens (current time) WITH a eval'ed time to another applet for start/end time?

My way seems to create those times perfectly.. its just that the target table wont accept EVAL to set time-432000 (5DAYBEFORE)

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Here's an example dashboard that allows you to set the number of days before the click date to then show the table for

<form>
  <label>testtc</label>
  <search id="base">
    <query>| makeresults
| eval x=mvrange(1,100)
| mvexpand x
| eval val=random() % 100
| eval _time=_time-(x*86400)
| timechart span=1d values(val)</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="text" token="days" searchWhenChanged="true">
      <label>Show days before click</label>
      <default>5</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search base="base">
          <query/>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <set token="latest">$click.value$</set>
          <eval token="relative_days">"-".$days$."d"</eval>
          <eval token="earliest">relative_time($click.value$,$relative_days$)</eval>
          <eval token="from">strftime($earliest$,"%F")</eval>
          <eval token="to">strftime($latest$,"%F")</eval>
        </drilldown>
      </chart>
    </panel>
    <panel>
      <table>
        <title>Showing results from $from$ to $to$</title>
        <search base="base">
          <query>
            | where _time&gt;=$earliest$ AND _time&lt;=$latest$
          </query>
        </search>
      </table>
    </panel>
  </row>
</form>

It's a run anywhere so you can see how the eval token statements in the drilldown use relative_time to calculate the number of days prior to the clicked date to set the from token.

You can see I have used the where clause to do the date filtering in the second search as I have used a base search, but in your case you could just do this in you original search

you_search earliest>=$earliest$ latest<=$latest$

for the same effect.

Hope this helps.

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Here's an example dashboard that allows you to set the number of days before the click date to then show the table for

<form>
  <label>testtc</label>
  <search id="base">
    <query>| makeresults
| eval x=mvrange(1,100)
| mvexpand x
| eval val=random() % 100
| eval _time=_time-(x*86400)
| timechart span=1d values(val)</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="text" token="days" searchWhenChanged="true">
      <label>Show days before click</label>
      <default>5</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search base="base">
          <query/>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <set token="latest">$click.value$</set>
          <eval token="relative_days">"-".$days$."d"</eval>
          <eval token="earliest">relative_time($click.value$,$relative_days$)</eval>
          <eval token="from">strftime($earliest$,"%F")</eval>
          <eval token="to">strftime($latest$,"%F")</eval>
        </drilldown>
      </chart>
    </panel>
    <panel>
      <table>
        <title>Showing results from $from$ to $to$</title>
        <search base="base">
          <query>
            | where _time&gt;=$earliest$ AND _time&lt;=$latest$
          </query>
        </search>
      </table>
    </panel>
  </row>
</form>

It's a run anywhere so you can see how the eval token statements in the drilldown use relative_time to calculate the number of days prior to the clicked date to set the from token.

You can see I have used the where clause to do the date filtering in the second search as I have used a base search, but in your case you could just do this in you original search

you_search earliest>=$earliest$ latest<=$latest$

for the same effect.

Hope this helps.

 

0 Karma

clintla
Contributor

Wow.. nailed it. A little bit more involved than I thought it was but not too bad.

Thanks for the help! This works exactly as I was wanting it to!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...