Splunk Search

How to pass a hardcode time range through drilldown link to override default shared time picker of the dashboard?

wangkevin1029
Communicator

Hi, Splunkers, 

I have a dashboard with multiple panels, which all use shared time picker from token field2.

when I used the following drilldown link to send token Gucid_token,  time range is used dashboard's default time range. 

<drilldown>

          <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2</link>

        </drilldown>

but when I click drilldown link, I prefer to use a different hardcode time range, like  "Last 7 days", instead of original default time range of my dashboard.

so, I added form.field2=Last 7 days in my drilldown link following  the 1st token form.Gucid_token=$click.value2  as below.

 

but unfortunately, it doesn't work. 

<drilldown>

          <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2$&amp;form.field2=Last%207%20days</link>

        </drilldown>

 

anyone knows how to pass the hardcode time range through this drilldown link? 

 

thanks in advance.

 

Kevin

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what the drilldown search is expecting to receive in field2.  Perhaps this will work.

<drilldown>
  <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2$&amp;form.field2=-7d</link>
</drilldown>
---
If this reply helps you, Karma would be appreciated.
0 Karma

wangkevin1029
Communicator

I tried  -7d@h, it doesn't work.

I noticed in input type=time.... 

<earliest>-7d@h</earliest>

<latest>now</latest>

 

not sure if it means for any last  24 hrs, 7 days, 30days,latest  field also need to be specified?

 

Kevin

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think we need to see the definition of the drilldown search to know what parameters to pass to it.

<earliest>-7d@h</earliest>
<latest>now</latest>

means the last 7 days until now.

---
If this reply helps you, Karma would be appreciated.
0 Karma

wangkevin1029
Communicator
<drilldown>
  <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2$&amp;form.field2=-7d</link>
</drilldown>

 

the key/value patter following the dashboard link is 
?form.Gucid_token=$click.value2$&amp;form.field2=-7d

not sure how to add the following   two <a>xxx</a>  to  token fields...

<earliest>-7d@h</earliest>
<latest>now</latest>

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, we've seen how the drilldown is invoked, but not how the target is defined.  The KO at guciduuidsid_search_applied_rules_with_ors_log_kvp must be expecting certain fields to be provided.  The values of those fields likely are expected to be in a certain format.  Once we know that information then we can figure out how to get data from one place to the other.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...