- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a timechart that drills down to a ta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a timechart that drills down to a table with relevant data when I click a data point or select a time range in the chart?
How to add a click and selection event to a timechart like using Javascript in Web Development?
Is there anyone who knows which demo I can follow or docs easy to understand? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just before the timechart command have a table command to print the required values like
<your base search> | table _time, id, status | timechart span=1h count(id) as Count by status
This way when you click on timechart the drilldown will search for the required details in table. If you click on any event detail in the table it will drill down to the raw event.
Edited to add tokens available on Zooming in a timechart
Since you want to Drill Down the details of Selection made in chart when it is zoomed in you would need to code the selection event in the Simple XML. Following code from the timechart will extract the epoch start time and end time from the selection. Refer to Pan and Zoom chart Controls example in the Splunk 6.x Dashboard Examples App for details
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
<set token="start.count">$start.count$</set>
<set token="end.count">$end.count$</set>
</selection>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay Thanks. I've tried your suggestion in my query. And it work that when i click the point it will redirect me to another page with a new search. But when i drag and select multi points in chart, it only zoom the chart. So, my real need is that the table show events queried according to the time of the point clicked or the time range of the points selected by drag.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you want tokens to be available after zooming in a chart, I have edited my answer for the same. Please refer to Splunk 6.x Dashboard Examples App if you need more details or complete example.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this online doc gets you started
http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/tokens
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sundareshr Thank you for answer my question and give me support again. I've glance over the token. And it was like programming language variables. My difficulty is that i don't know how to response to a "click" or "select" in timechart? It means when i click in the chart, a table should display under the chart. The table show the information of the point clicked by me in chart .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this helps, if not, share your queries for both the timechart as well as the resulting table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sundareshr Thank you very much.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
