After spending hours unsuccessfully searching the splunk answers for a solution I would like to phrase my question:
I have a timechart which I display in a dashboard.
When I click on a bar, I would like that a new search is triggered with the time interval matching that of the clicked bin in the timechart.
Unfortunately, using
<drilldown>
<set token="tok_ear">$earliest$</set>
<set token="tok_lat">$latest$</set>
</drilldown>
does not give me the timeinterval of the clicked bin, but of the whole timechart query.
On the other hand
$click.value$
does give me right start time, but in the following format
2017-09-29T01:00:00.000-04:00
which I then can't use to set my field
<earliest></earliest>
<latest></latest>
in the query.
I could reformat the $click.value$ string to the expected epoch format, using
strftime("2017-09-27T22:04:00.000-04:00", "%Y-%m-%dT%H:%M:%S.%3N-%:z")
but I don't know if I can run this command as a script in the dashboard xml.
Does anybody have a solution for this? I am a bit amazed that this is such a struggle, seams like a common use-case.
@viggor, If the default drilldown token for charts i.e. $earliest$ and $latest$ are defaulting to Search time range instead of clicked row value, it implies that you do not have _time field available. Please make sure your final search command is timechart or chart with _time field. Please refer to the Splunk documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#chart_2
Following is a run anywhere search based on Splunk _internal index.
<form>
<label>Chart Drilldown default tokens earliest and latest</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!="INFO"
| timechart span=1h count</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<drilldown>
<set token="earliestTime">$earliest$</set>
<set token="latestTime">$latest$</set>
<set token="eventCount">$click.value2$</set>
<eval token="duration">$latest$-$earliest$</eval>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<div>
Earliest: $earliestTime$<br/>
Latest: $latestTime$<br/>
Duration: $duration$<br/>
Events: $eventCount$
</div>
</html>
</panel>
</row>
</form>
PS: Please change accordingly for your usecase. If the same is not working please provide your existing Splunk search query.
First, $earliest$
should work if you are clicking on the segments (not the legend) and you are properly generating the time values for the search. You would need to share more information about the top-level search in order to troubleshoot that a little more.
Using your current drilldown approach with $click.value$
, you can wrap the strptime
step in an <eval>
block if you are on Splunk 6.3 or newer. You need to know the charting time span in order to get the value for latest, so that gets back to the original issue of how are you generating the data using timechart
or chart
. Lastly, you want strptime
, not strftime
.
<drilldown>
<eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
<eval token="tok_lat">'tok_ear' + 'row._span'</eval>
</drilldown>
Hi rjthibod, thanks a lot for your comment.
I tried to use
<drilldown>
<eval token="tok_ear">strptime("'click.value'", "%Y-%m-%dT%H:%M:%S.%3N-%:z")</eval>
</drilldown>
but the tok_ear variable does not seem to be defined.