I have a search
index=abc sourcetype=xyz | bucket created_time span=1w | stats count by date_epoch | eval date_readable = strptime(date_epoch, "%m-%d-%Y %H:%M:%S")
This results in a BAR GRAPH
Y-AXIS -> Count
X-AXIS -> date_readable
BUT, when the user clicks on any BAR, the drill down takes him to the search page with ALL THE EVENTS and not just the clicked events.
That is happening because of last condition in search query, where I am converting the EPOCH to READBLE.
I need to show READABLE format of date on graph and at the same time want my drill down to work.
Drill down seems to work only on EPOCHS.
How can I achieve this?
@joydeep741, your current query seems incorrect as created_time seems to be use to bucket time as 1w span. However, date_epoch has been used in the stats command afterwards.
We are not sure whether any of these two are actually converted from string time to epoch time or not. strptime()
converts string time to epoch and strftime()
converts epoch time to string. Also between eval and fieldformat command the later converts the value for display while retaining the original data type i.e. if you use strftime() with fieldformat, underlying value will be epoch time but display value will be string time.
With a brief of these behaviors assuming created_time is the string time based on which you want to create this chart and chart drilldown, and that it has format MM-DD-YYYY HH:MM:SS
, you can try the following
index=abc sourcetype=xyz
| eval _time=strptime(created_time,"%m-%d-%Y %H:%M:%S")
| timechart span=1w count
PS: You would need further base search based on Overall selected time in Time Picker as you need to work with created_time as earliest and latest and not _time as earliest and latest time. However, it becomes a bit complicated because your string date format is not sorted as YYYY-mm-dd HH:MM:SS
instead of which it is mm-dd-YYYY HH:MM:SS
. So you would need to ensure that time selected is a wider range to cover all the events with required created time. And also additional filter within query to compare epoch created time to fall within the range of required earliest and latest time.
You can re-evaluate, whether you always need to use created time as _time for your searches. Only if so, you should define props.conf in a way that created_time is selected as event timestamp. However, this might not be true so verify the requirement first.
Try this:
index=abc sourcetype=xyz
| eval _time = date_epoch
| timechart span=1w count
Hi @woodcock
This gives me right chart.
I am able to drill down.
BUT, say I selected events for the month of MAY in the bar graph.
On the drill down page it will show me all events of MAY.
AND NOT all events where date_epoch was in MAY.
So I am getting slightly deviated results on drill down.
Do not rely on automatic drilldown; manually set it and carry over the | eval _time = date_epoch
part. See theDashboards Examples
app or wait for @niketnilay to show up and save the dashboard day.
@joydeep741, your current query seems incorrect as created_time seems to be use to bucket time as 1w span. However, date_epoch has been used in the stats command afterwards.
We are not sure whether any of these two are actually converted from string time to epoch time or not. strptime()
converts string time to epoch and strftime()
converts epoch time to string. Also between eval and fieldformat command the later converts the value for display while retaining the original data type i.e. if you use strftime() with fieldformat, underlying value will be epoch time but display value will be string time.
With a brief of these behaviors assuming created_time is the string time based on which you want to create this chart and chart drilldown, and that it has format MM-DD-YYYY HH:MM:SS
, you can try the following
index=abc sourcetype=xyz
| eval _time=strptime(created_time,"%m-%d-%Y %H:%M:%S")
| timechart span=1w count
PS: You would need further base search based on Overall selected time in Time Picker as you need to work with created_time as earliest and latest and not _time as earliest and latest time. However, it becomes a bit complicated because your string date format is not sorted as YYYY-mm-dd HH:MM:SS
instead of which it is mm-dd-YYYY HH:MM:SS
. So you would need to ensure that time selected is a wider range to cover all the events with required created time. And also additional filter within query to compare epoch created time to fall within the range of required earliest and latest time.
You can re-evaluate, whether you always need to use created time as _time for your searches. Only if so, you should define props.conf in a way that created_time is selected as event timestamp. However, this might not be true so verify the requirement first.
created_time is a typo.. It is actually date_epoch.
But I have understood the logic here.
Thanks man.. This resolves the issue.
@joydeep741 , glad this worked for you. Do consider adding right filters in your base search in case create_time is not _time! Let us know if you need further help!
Drill down works fine. But as you said, since the events displayed will consider the earliest and latest of _time and not created_time, the results on the search page are slightly deviated.
I am not sure how I can tweak the logic to cater this part as well.
This may be an instance where renaming created_time to _time and using a timechart might be best.
try:
index=abc sourcetype=xyz | rename created_time as _time | timechart span=1w count