Splunk Search

How to create a drilldown to pass time to timerange.latest to a new search and adding a millisecond?

avilandau
Path Finder

I'm not sure this is the only way to do what I need, but this is the only thing I could think of. I have a table with multiple entries displayed and on a click, I want to drilldown to display the clicked record in more detail. The problem is that other than the time, there is nothing that uniquely identifies the event, so I pass the $row._time" to the next form both to timerange earliest and latest. However, this gives an error that latest must be greater than earliest. If I then manually change the time by adding 1 millisecond the search works okay. So 2 questions:

1 - Is there an internal key from Splunk I can use in order to uniquely identify the row so I don't need to use time range

2 - How can I pass the value of the row time + 1 millisecond (or any math for that matter). What is the format for this?

ramdaspr
Contributor

You can use the $earliest$ and $latest$ events which are provided by drilldown Tokens

So that would be

 <drilldown>
            <set token="tok_ear">$earliest$</set>
            <set token="tok_lat">$latest$</set>
  </drilldown>

Regarding adding a millisecond you can use eval vari=$latest$+0.001 to add time since the latest time would be sent in epoch style timing.

0 Karma

sideview
SplunkTrust
SplunkTrust

Real quick,and I'll update later if necessary, $row._time$ is a sort of sneaky low-level way to do this. Kudos for thinking of it.

Short Version:
But in Sideview XML you'll want to use $search.timeRange.earliest$ and $search.timeRange.latest$ instead

Long Version:
in Sideview XML $row.foo$ will get the raw value of the "foo" field for that row. $foo._time$ will get the epochtime value, ie number of seconds since 1970. Which is weird because most people think of _time as a string valued locale-aware time. All that locale stuff happens in the table code when it's rendered believe it or not.

Anyway, you want to use $search.timeRange.earliest$ and $search.timeRange.latest$. Underneath a table drilldown where the results rendered are from a timechart command, there will be both a _time field, and although you might never have been aware of it, also a "_span" field. Between the two and the row clicked, the Sideview code will figure out and populate those keys ($search.timeRange.earliest$ and $search.timeRange.latest$) with the correct value for the drilldown.

0 Karma

avilandau
Path Finder

Thanks. Let me explain exactly what I need. There is no time chart involved but rather a drilldown from one table to another. The source table display multiple lines where one of the fields is a free text field consist of a single line for some records and multiple lines for some other (i.e. there could be several "new lines" embedded in this field. The source table displays only the first line of this field so I see a group of records in one page. When I click on a specific row I want to show in a second table just that record where I display in "event" format so I see all the lines of that event. The problem I have is generating the right search for the second table to produce only that row and I can do it by including the right time range. I want to take the time of the clicked record and add as minimal as possible to the "latest" so I will catch only that record. I'm using "set token" and right now I pass to 2 token. I can manually change one of them and then the search is right but I really want set them right in the first place.

I will try to check what does _span give me (I'll set a token with this name and see the form.token input field to see what it is.

0 Karma

sideview
SplunkTrust
SplunkTrust

If you already have a _time value, just add into your search, or add via a PostProcess, | eval _span=1. Because the field name begins with an underscore, by Splunk convention it will not be actually rendered in the visible table (_time is the one exception to this rule)

As soon as you have both _time and _span present in the raw data, the Table will automatically create and set $search.timeRange.earliest$ and $search.timeRange.latest$ to the exact values you need, namely to a timerange that starts at the time of the given event, to 1 second later.

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...