Splunk Search

How to pass a hardcode time range through drilldown link to override default shared time picker of the dashboard?

wangkevin1029
Path Finder

Hi, Splunkers, 

I have a dashboard with multiple panels, which all use shared time picker from token field2.

when I used the following drilldown link to send token Gucid_token,  time range is used dashboard's default time range. 

<drilldown>

          <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2</link>

        </drilldown>

but when I click drilldown link, I prefer to use a different hardcode time range, like  "Last 7 days", instead of original default time range of my dashboard.

so, I added form.field2=Last 7 days in my drilldown link following  the 1st token form.Gucid_token=$click.value2  as below.

 

but unfortunately, it doesn't work. 

<drilldown>

          <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2$&amp;form.field2=Last%207%20days</link>

        </drilldown>

 

anyone knows how to pass the hardcode time range through this drilldown link? 

 

thanks in advance.

 

Kevin

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what the drilldown search is expecting to receive in field2.  Perhaps this will work.

<drilldown>
  <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2$&amp;form.field2=-7d</link>
</drilldown>
---
If this reply helps you, Karma would be appreciated.
0 Karma

wangkevin1029
Path Finder

I tried  -7d@h, it doesn't work.

I noticed in input type=time.... 

<earliest>-7d@h</earliest>

<latest>now</latest>

 

not sure if it means for any last  24 hrs, 7 days, 30days,latest  field also need to be specified?

 

Kevin

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think we need to see the definition of the drilldown search to know what parameters to pass to it.

<earliest>-7d@h</earliest>
<latest>now</latest>

means the last 7 days until now.

---
If this reply helps you, Karma would be appreciated.
0 Karma

wangkevin1029
Path Finder
<drilldown>
  <link target="_blank">/app/appname/guciduuidsid_search_applied_rules_with_ors_log_kvp?form.Gucid_token=$click.value2$&amp;form.field2=-7d</link>
</drilldown>

 

the key/value patter following the dashboard link is 
?form.Gucid_token=$click.value2$&amp;form.field2=-7d

not sure how to add the following   two <a>xxx</a>  to  token fields...

<earliest>-7d@h</earliest>
<latest>now</latest>

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, we've seen how the drilldown is invoked, but not how the target is defined.  The KO at guciduuidsid_search_applied_rules_with_ors_log_kvp must be expecting certain fields to be provided.  The values of those fields likely are expected to be in a certain format.  Once we know that information then we can figure out how to get data from one place to the other.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...