Splunk Search

Drilldown: Use starttime of bar in timechart as `earliest` field in subsequent search

viggor
Path Finder

After spending hours unsuccessfully searching the splunk answers for a solution I would like to phrase my question:

I have a timechart which I display in a dashboard.
When I click on a bar, I would like that a new search is triggered with the time interval matching that of the clicked bin in the timechart.

Unfortunately, using

<drilldown>
     <set token="tok_ear">$earliest$</set>
     <set token="tok_lat">$latest$</set>
</drilldown>

does not give me the timeinterval of the clicked bin, but of the whole timechart query.

On the other hand

$click.value$

does give me right start time, but in the following format

2017-09-29T01:00:00.000-04:00

which I then can't use to set my field

      <earliest></earliest>
      <latest></latest>

in the query.

I could reformat the $click.value$ string to the expected epoch format, using

strftime("2017-09-27T22:04:00.000-04:00", "%Y-%m-%dT%H:%M:%S.%3N-%:z")

but I don't know if I can run this command as a script in the dashboard xml.

Does anybody have a solution for this? I am a bit amazed that this is such a struggle, seams like a common use-case.

0 Karma

niketn
Legend

@viggor, If the default drilldown token for charts i.e. $earliest$ and $latest$ are defaulting to Search time range instead of clicked row value, it implies that you do not have _time field available. Please make sure your final search command is timechart or chart with _time field. Please refer to the Splunk documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#chart_2

Following is a run anywhere search based on Splunk _internal index.

alt text

<form>
  <label>Chart Drilldown default tokens earliest and latest</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| timechart span=1h count</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <drilldown>
          <set token="earliestTime">$earliest$</set>
          <set token="latestTime">$latest$</set>
          <set token="eventCount">$click.value2$</set>
          <eval token="duration">$latest$-$earliest$</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          Earliest: $earliestTime$<br/>
          Latest: $latestTime$<br/>
          Duration: $duration$<br/>
          Events: $eventCount$
        </div>
      </html>
    </panel>
  </row>
</form>

PS: Please change accordingly for your usecase. If the same is not working please provide your existing Splunk search query.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rjthibod
Champion

First, $earliest$ should work if you are clicking on the segments (not the legend) and you are properly generating the time values for the search. You would need to share more information about the top-level search in order to troubleshoot that a little more.

Using your current drilldown approach with $click.value$, you can wrap the strptime step in an <eval> block if you are on Splunk 6.3 or newer. You need to know the charting time span in order to get the value for latest, so that gets back to the original issue of how are you generating the data using timechart or chart. Lastly, you want strptime, not strftime.

<drilldown>
  <eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
  <eval token="tok_lat">'tok_ear' + 'row._span'</eval>
</drilldown>

viggor
Path Finder

Hi rjthibod, thanks a lot for your comment.
I tried to use

<drilldown>
   <eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
 </drilldown>

but the tok_ear variable does not seem to be defined.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...