Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a drilldown from timechart to get all the events based datapoint clicked?

satishp00
Engager
‎03-08-2023 10:27 AM

Hi ,

I m new to splunk and still exploring. I have created a timechart with a span on 10 mins . The timechart has a sharedtime picker which gets updated on based on time selected on timepicker. I have added a drilldown option on timechart when on click link to search and the results should display in new tab. I m passing TimeRange as Tokens. What I m trying to achieve is when a user clicks on the timechart at any datapoint,it should display the results with all events that happened the  in past 5 min of clicked timestamp. Some how I m not sure how to set the earliest and latest time dynamically in the search link. 

satishp00_1-1678299672515.png

 

satishp00_0-1678299564951.png

satishp00_2-1678300058301.png

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Tom_Lundie
Contributor
‎03-08-2023 02:05 PM

You can't dynamically change the token value like you're trying to do in the drilldown config.

The simplest way to solve this is to update a different token and use that to pass to your dashboard:

Example:

 

        <drilldown>
          <eval token="dd_earliest">$click.value$-300</eval>
          <eval token="dd_latest">$click.value$</eval>
          <link target="_blank">search?q=index%3D%22xxxx%22%20sourcetype%3D%22xxxx%22%20%7C%20table%20ProcessTime%2C%20FileName%2C%20StartDtTime%2C%20EndDtTime&amp;earliest=$dd_earliest$&amp;latest=$dd_latest$</link>
        </drilldown>

If it's a deal-breaker to have to manually URL-encode your drilldown search, you could also get the drilldown search to generate it's earliest and latest times dynamically with a subsearch. Set the drilldown time config to global use the folllowing drilldown search:

index="xxxx" sourcetype="xxxx" 
    [| makeresults 
    | eval earliest=$click.value$ - 300, latest=$click.value$
    | fields - _time
    | format] 
| table ProcessTime, FileName, StartDtTime, EndDtTime

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Tom_Lundie
Contributor
‎03-08-2023 02:05 PM

You can't dynamically change the token value like you're trying to do in the drilldown config.

The simplest way to solve this is to update a different token and use that to pass to your dashboard:

Example:

 

        <drilldown>
          <eval token="dd_earliest">$click.value$-300</eval>
          <eval token="dd_latest">$click.value$</eval>
          <link target="_blank">search?q=index%3D%22xxxx%22%20sourcetype%3D%22xxxx%22%20%7C%20table%20ProcessTime%2C%20FileName%2C%20StartDtTime%2C%20EndDtTime&amp;earliest=$dd_earliest$&amp;latest=$dd_latest$</link>
        </drilldown>

If it's a deal-breaker to have to manually URL-encode your drilldown search, you could also get the drilldown search to generate it's earliest and latest times dynamically with a subsearch. Set the drilldown time config to global use the folllowing drilldown search:

index="xxxx" sourcetype="xxxx" 
    [| makeresults 
    | eval earliest=$click.value$ - 300, latest=$click.value$
    | fields - _time
    | format] 
| table ProcessTime, FileName, StartDtTime, EndDtTime

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...