Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you pass a field to another chart using drilldowns?

james_n
Path Finder
‎02-04-2019 01:03 AM

i have query like:

 | timechart count by status.  
output: _time status

1/1/2018 20:10:12.214 2
10/1/2018 12:32:45.153 4

when i click on the bar chart legend, _time should pass to another chart date, hour and minutes only like 1/1/2018 20:10 as a token.

another chart query is 

index=something $token_name$ | stats count

@martin_mueller , could you help on this.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-04-2019 06:58 AM

It should already be available as $click._time$. The problem is that you think that it is in a format that it isn't so it isn't working for you. The field _time is very special in that it always has an implied | fieldformat _time=strftime(_time, %m/%d/%Y %H:%M:%S:%3n") attached to it that follows it along everywhere. You can see this if you add | eval time=_time to any search. When you do, you will see that time takes on the actual value of _time which is an integer. So what you need to do is create a new token, $time$ that is formatted the way that you need, like this:

<eval token="time">strftime($click._time$, %m/%d/%Y %H:%M:%S:%3n")</eval>
0 Karma
Reply

mayurr98
Super Champion
‎02-04-2019 03:18 AM

hi I do not know what you are trying to achieve but this will solve your problem. 

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |timechart count | sort - count | rename _time as time | eval time=strftime(time,"%m/%d/%Y %H:%M")</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="time">$click.value2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_internal "$time$" |stats count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</dashboard>

let me know if this helps!

0 Karma
Reply

james_n
Path Finder
‎02-04-2019 10:34 PM

@mayurr98 thanks for your answer, its working almost fine, but hours and minutes showing 00:00 only if i select last 7days. my log file timestamp is 2/1/19 17:20:06:076 MST. could you help me on this same.
Iam expecting if i select time period in the span of days, it should be 2/2/19 or hours 2/2/19 17:20 like that,

what you have written query working fine , but if i select time in the form of hours its not working.

0 Karma
Reply

vnravikumar
Champion
‎02-04-2019 03:18 AM

Hi @james_n

Please try

 <chart>
        <search>
          <query>index="_internal" 
 | timechart count by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="date1">strftime($click.value$,"%d/%m/%Y %H:%M")</eval>
        </drilldown>
      </chart>
0 Karma
Reply

vnravikumar
Champion
‎02-04-2019 05:57 AM

Please let me know

0 Karma
Reply

james_n
Path Finder
‎02-05-2019 11:14 PM

@vnravikumar , thanks for your answer, this is working fine but i want to month in a single digit like 2/4/19, currently i am using like this

strftime($click.value$,"%m/%e/%y"),

I tried "%1m", "%-m" or "%#m" to convert two digit month into a single digit month. but not working, could you please help on this.

0 Karma
Reply

vnravikumar
Champion
‎02-05-2019 11:26 PM

What format do you want?

0 Karma
Reply

james_n
Path Finder
‎02-06-2019 12:02 AM

month,day,year like this 2/4/19

0 Karma
Reply

vnravikumar
Champion
‎02-06-2019 12:09 AM

Try with

%m/%d/%y

0 Karma
Reply

james_n
Path Finder
‎02-06-2019 12:22 AM

tried with that but it displaying 02/04/19 in the span of last 7 days.

and also one more problem is if select one specific day i.e, feb 4th 2019, and clicked on, its taking feb 5th 2019 instead of 4th. could you please check once.

what i my observation is, its taking next day time if the time after 12pm in same day in the span of hours

0 Karma
Reply

vnravikumar
Champion
‎02-06-2019 12:48 AM

use "%1m", "%-m" or "%#m" to convert two digit month into a single digit month

0 Karma
Reply

james_n
Path Finder
‎02-06-2019 12:54 AM

already i tried but not working, you can find my last comment, the major problem is

f select one specific day i.e, feb 4th 2019, and clicked on, its taking feb 5th 2019 instead of 4th. could you please check once.

what i my observation is, its taking next day time if we select anything after 12pm in same day

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...