Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Invalid value Drilldown error
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Invalid value Drilldown error
ssingh313
Path Finder
08-03-2016
08:25 AM
I have a table on my dashboard which contains values that link to the actual data log on splunk. I am trying to open the data logs within the dashboard and I am using the drilldown code below but I keep on getting an "Invalid value "1468323531.846-1" for time term 'earliest' " error. Below is the code I'm using. Anyone know how I can fix this?
<drilldown>
<set token="tok_ShowEvents">true</set>
<set token="e">$click.value$-1</set>
<set token="l">$click.value$+1</set>
<set token="AttributeConnID">$row.AttributeConnID$</set>
<set token="AttributeANI">$row.AttributeANI$</set>
<set token="AttributeCallType">$row.AttributeCallType$</set>
<set token="AttributeDNIS">$row.AttributeDNIS$</set>
<set token="AttributeCallUUID">$row.AttributeCallUUID$</set>
</drilldown>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bubble</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel depends="$tok_ShowEvents$">
<event>
<search>
<query> index=windoesapps sourcetype=Genesys_AvayaTserver earliest=$e$ latest=$l$ | eval x="$tok_ShowEvents$" | rex "(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?<EventName>\w+)"| rex "AttributeConnID'?\s'?(?<AttributeConnID>[^\t\n\r]+)"| rex "AttributeANI'?\s'?(?<AttributeANI>[^\t\n\r]+)"| rex "AttributeDNIS'?\s'?(?<AttributeDNIS>[^\t\n]+)"| rex "AttributeCallType'?\s'?(?<AttributeCallType>[^\t\n]+)"| rex "AttributeCallUUID'?\s'?(?<AttributeCallUUID>[^\t\n]+)"| rex "AttributeUserData'?\s'?(?<AttributeUserData>[^\t\n]+)" </query>
<earliest></earliest>
<latest></latest>
</search>
</event>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssingh313
Path Finder
08-03-2016
04:58 PM
This is what my entire code looks like right now. I tried removing the eval elements and it gives me a search is waiting for input error.
<form>
<label>Genesys Search Test</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="tok_ID" searchWhenChanged="true">
<label>ConnID/CallUUID</label>
<default></default>
</input>
</fieldset>
<row>
<panel>
<title>Genesys Server</title>
<table>
<title>Avaya Tserver</title>
<search>
<query>index=windowsapps sourcetype=Genesys_AvayaTserver "$tok_ID$" | rex"(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?<EventName>\w+)"| rex"AttributeConnID'?\s'?(?<AttributeConnID>[^\t\n\r]+)"| rex"AttributeANI'?\s'?(?<AttributeANI>[^\t\n\r]+)"| rex"AttributeDNIS'?\s'?(?<AttributeDNIS>[^\t\n]+)"| rex"AttributeCallType'?\s'?(?<AttributeCallType>[^\t\n]+)"|rex"AttributeCallUUID'?\s'?(?<AttributeCallUUID>[^\t\n]+)"|rex"AttributeUserData'?\s'?(?<AttributeUserData>[^\t\n]+)"|table_time EventName AttributeConnID AttributeANI AttributeDNIS AttributeCallType AttributeCallUUID AttributeUserData| where isnotnull(AttributeANI)</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<drilldown>
<set token="tok_ShowEvents">true</set>
<set token="AttributeConnID">$row.AttributeConnID$</set>
<set token="AttributeANI">$row.AttributeANI$</set>
<set token="AttributeCallType">$row.AttributeCallType$</set>
<set token="AttributeDNIS">$row.AttributeDNIS$</set>
<set token="AttributeCallUUID">$row.AttributeCallUUID$</set>
</drilldown>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bubble</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel depends="$tok_ShowEvents$">
<event>
<search>
<query>index=windowsapps sourcetype=Genesys_AvayaTserver earliest=$e$ latest=$l$ | rex "(Trc|Adjusted|distribute_event|distribute_user_event|send_to_client|distribute_response):?\s\w+\s(?<EventName>\w+)"| rex "AttributeConnID'?\s'?(?<AttributeConnID>[^\t\n\r]+)"| rex "AttributeANI'?\s'?(?<AttributeANI>[^\t\n\r]+)"| rex "AttributeDNIS'?\s'?(?<AttributeDNIS>[^\t\n]+)"| rex "AttributeCallType'?\s'?(?<AttributeCallType>[^\t\n]+)"| rex "AttributeCallUUID'?\s'?(?<AttributeCallUUID>[^\t\n]+)"| rex "AttributeUserData'?\s'?(?<AttributeUserData>[^\t\n]+)"</query>
<earliest></earliest>
<latest></latest>
</search>
</event>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssingh313
Path Finder
08-04-2016
11:18 AM
so I try this query and get a Error in 'eval' command: The expression is malformed. Expected ).
<query>index=windowsapps sourcetype=Genesys_AvayaTserver "$tok_ID$" | eval filter=if(_time<relative_time($e$, "-1s") OR _time>relative_time($e$,relative_time($e$, "+1s"), "No", "Yes") | where filter="Yes"</query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssingh313
Path Finder
08-05-2016
10:27 AM
Let me know if there are any other possible ideas
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
