How to pass the time of an event to drill down

Kozanic · ‎07-23-2017

I'm trying to set up a drill down report that will list the events of a transaction, but having issue getting the date to pass through correctly.

This is the code of the original report (edited to reflect assistance provided so far):

  <row>
    <panel>
      <title>Last 7 Days Activities</title>
      <table>
        <title>Earliest: $e$ - Latest: $l$</title>
        <search ref="BluePrint Publish History - last 7 days">
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <eval token = "e">strptime($row.Startdate$,"%Y-%m-%d %H:%M:%S.%3N")</eval>
          <eval token = "l">$e$+1200)</eval>          
          <link target="My New Window">
              <![CDATA[/app/cherwell_ops/blueprint_drilldown?form.blueprint=$row.BlueprintName$&form.earliest=$e$&form.latest=$l$]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>

After adding in the tokens to the report, I can see that I'm still having issues with latest time not generating:

Not sure why this second token is not populating. Have already tried using

<eval token = "l">strptime($row.Startdate$,"%Y-%m-%d %H:%M:%S.%3N")+1200</eval>

but this gives the same result.

Any assistance is greatly appreciated.

EDIT:
I have managed to get this working, but needed to modify my original report to include _time (formatted as epoch time) as a column - I'm then able to pass that time through to the drill down.

Not sure why I have needed to go to this extreme, every other attempt failed in that it would either not pass through - or even when I could get it to pass though - was not providing the correct date / time details.

DalJeanis · ‎07-24-2017

You probably want "latest" rather than "lastest".

Kozanic · ‎07-24-2017

Thanks for that - while a valid pickup in terms of pass through, which I think has resolved part of my issues with the pass-through URL, it's not helping my tokens generating correctly.

niketn · ‎07-24-2017

@Kozanic, before coding the drilldown, you should always print to evaluate whether the tokens being passed to drilldown are being set properly or not. For table drilldown the predefined token $row.<fieldname>$ should be used. However, if _time is the first column of the table, better way to access it is via $click.value$

     <drilldown>
      <eval token = "l"> $click.value$+1200</eval>
       <link target="My New Window">
           <![CDATA[/app/cherwell_ops/blueprint_drilldown?form.blueprint=$row.BlueprintName$&form.earliest=$click.value$&form.lastest=$l$]]>
       </link>
     </drilldown>

If _time field is not the first column in the table, you should use the following eval

<eval token="e">strptime($row._time$,"%Y-%m-%d %H:%M:%S.%3N")</eval>
<eval toke="l">strptime($row._time$,"%Y-%m-%d %H:%M:%S.%3N")+1200</eval>

Also print the tokens $e$ and $l$ in your dashboard to ensure they are picking up values as expected

<table>
    <title>Earliest: $e$ - Latest: $l$</title>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

martin_mueller · ‎07-24-2017

There's a closing parenthesis missing in your eval element for e, and I'd use an eval element for the addition operation for l as well.

Kozanic · ‎07-24-2017

Thanks for that pick up

How to pass the time of an event to drill down

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases