I am trying to build a decent drilldown option and my current state is the following.
The search:
index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$ | timechart COUNT span=1h | sort -COUNT | head 3
But what I'd like to do is, that the events of the three timespans are displayed, when I click on one of the bars.
Is that possible and how? I played around a lot with the map-command and some other things, but it seems I'm not able to do this on my own.
Thanks in advance.
Hi @MBehm,
if I correctly understood your request, you should pass in drilldown the value on click and the extremes of time period.
In my dashboard the Time Picher's Token is named "Time", so in drilldown put:
<drilldown>
<link>your_drilldown_dashboard?token=$click.value2$&TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>
Then in the drilldown dashboard you have to call the three tokens.
Remember that if you manually modify code in Splunk editor, when you have &
you have to insert &
Ciao.
Giuseppe
You are overcomplicating things. You already know what your base search is that is in front of your timechart
command and you already have your timepicker
fields as tokens, so just hardcode your drilldown as
<drilldown>
<link target="_blank">search?q=index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$</link>
</drilldown>
Hi @MBehm,
if I correctly understood your request, you should pass in drilldown the value on click and the extremes of time period.
In my dashboard the Time Picher's Token is named "Time", so in drilldown put:
<drilldown>
<link>your_drilldown_dashboard?token=$click.value2$&TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>
Then in the drilldown dashboard you have to call the three tokens.
Remember that if you manually modify code in Splunk editor, when you have &
you have to insert &
Ciao.
Giuseppe
Thank you very much !
I was just not thinking about another Dashboard.
Works fine, the way you mentioned it. 🙂
Maybe you can give an example of your desired resultant search? If I understand it correctly, you want some sort of search according to the messageID you click. If so, you can set up a custom search/panel using the token $click.value2$ as value of messageID.
I'm already using the token. The part "MVSMSG=ICH70001I" of my given search is the "click.value2$" value. So I got this part.
My idea was to somehow get these messages (the ones with MVSMSG=$click.value2$), which were issued in the three time spans I selected.
But I wasn't able to find out if it is even possible to display events of time spans that are not contiguous.