How to pass the time of an event to drill down

Kozanic · ‎07-23-2017

I'm trying to set up a drill down report that will list the events of a transaction, but having issue getting the date to pass through correctly.

This is the code of the original report (edited to reflect assistance provided so far):

  <row>
    <panel>
      <title>Last 7 Days Activities</title>
      <table>
        <title>Earliest: $e$ - Latest: $l$</title>
        <search ref="BluePrint Publish History - last 7 days">
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <drilldown>
          <eval token = "e">strptime($row.Startdate$,"%Y-%m-%d %H:%M:%S.%3N")</eval>
          <eval token = "l">$e$+1200)</eval>          
          <link target="My New Window">
              <![CDATA[/app/cherwell_ops/blueprint_drilldown?form.blueprint=$row.BlueprintName$&form.earliest=$e$&form.latest=$l$]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>

After adding in the tokens to the report, I can see that I'm still having issues with latest time not generating:

Not sure why this second token is not populating. Have already tried using

<eval token = "l">strptime($row.Startdate$,"%Y-%m-%d %H:%M:%S.%3N")+1200</eval>

but this gives the same result.

Any assistance is greatly appreciated.

EDIT:
I have managed to get this working, but needed to modify my original report to include _time (formatted as epoch time) as a column - I'm then able to pass that time through to the drill down.

Not sure why I have needed to go to this extreme, every other attempt failed in that it would either not pass through - or even when I could get it to pass though - was not providing the correct date / time details.

DalJeanis · ‎07-24-2017

You probably want "latest" rather than "lastest".

Kozanic · ‎07-24-2017

Thanks for that - while a valid pickup in terms of pass through, which I think has resolved part of my issues with the pass-through URL, it's not helping my tokens generating correctly.

niketn · ‎07-24-2017

@Kozanic, before coding the drilldown, you should always print to evaluate whether the tokens being passed to drilldown are being set properly or not. For table drilldown the predefined token $row.<fieldname>$ should be used. However, if _time is the first column of the table, better way to access it is via $click.value$

     <drilldown>
      <eval token = "l"> $click.value$+1200</eval>
       <link target="My New Window">
           <![CDATA[/app/cherwell_ops/blueprint_drilldown?form.blueprint=$row.BlueprintName$&form.earliest=$click.value$&form.lastest=$l$]]>
       </link>
     </drilldown>

If _time field is not the first column in the table, you should use the following eval

<eval token="e">strptime($row._time$,"%Y-%m-%d %H:%M:%S.%3N")</eval>
<eval toke="l">strptime($row._time$,"%Y-%m-%d %H:%M:%S.%3N")+1200</eval>

Also print the tokens $e$ and $l$ in your dashboard to ensure they are picking up values as expected

<table>
    <title>Earliest: $e$ - Latest: $l$</title>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

martin_mueller · ‎07-24-2017

There's a closing parenthesis missing in your eval element for e, and I'd use an eval element for the addition operation for l as well.

Kozanic · ‎07-24-2017

Thanks for that pick up

How to pass the time of an event to drill down

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!