Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown - pass the earliest and latest from a timechart

netanelm7
Path Finder
‎10-30-2017 01:53 AM

Hi everyone,

Im having a problem passing the earliest and latest from a timechart.
On the main graph, im showing a table with hourly interval which shows some counter for each column.
I wanted to pass the selected column and to show it on a different timechart with minutely interval.

the tokens I configured on the main graph are:
jnl_mb_counter = $click.name2$
jnl_mb_earliest = $earliest$
jnl_mb_latest = $latest$

The column is passing perfectly, but the time is always the entire time (if i have 3 hours - which are 3 rows in the main graph's table, no matter which hour i choose, i get the drilldown timechart with the entiretime)

The drilldown query is:
index=storage_18037 sourcetype=csvRotemA_JNL_SUMMARY NOT DATETIME host=RotemA earliest=$jnl_mb_earliest$ latest=$jnl_mb_latest$ | eval transfer_in_MB=M_JNL_ASYNC_XFER_RATE/1024,IDs="JNL".JOURNAL_ID | search IDs=$jnl_mb_counter$ | timechart span=1m avg(transfer_in_MB) as "$jnl_mb_counter$ Transfer"

Thank you very much!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

emeelan_splunk
Splunk Employee
Splunk Employee
‎10-30-2017 02:33 PM

Hi All,
Here's another workaround given to me by one of our intrepid engineers that might work better than the one already posted:

<drilldown>
          <eval token="drilldown.earliest">strptime($row._time$,"%Y-%m-%d %H:%M:%S")</eval>
          <eval token="drilldown.latest">strptime($row._time$,"%Y-%m-%d %H:%M:%S") + $row._span$</eval>
        </drilldown>

View solution in original post

Reply
Solved! Jump to solution

rjthibod
Champion
‎10-30-2017 04:51 AM

The _span field indicates the bin or bucket size from your timechart command, in your case 1h or 3600 seconds. Anytime you use a SPL function that performs bin'ing, the hidden _span field is present. That field tells Splunk how to space out data on the x-axis when you chart timecharts.

Please "like" or "upvote" my comment or you can turn it into an answer and accept it. Either way.

Reply
Solved! Jump to solution

netanelm7
Path Finder
‎10-30-2017 04:58 AM

thank you!, i upvoted it, when can i click "accept" on it?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-30-2017 05:04 AM

Click on Accept link of Answer.
Scroll up to the first comment.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...