Splunk Search
Highlighted

Is it possible to display events of multiple _time-values at once?

New Member

I am trying to build a decent drilldown option and my current state is the following.

  • I have a timechart with the number of occurrences of multiple messageID's alt text
  • If I click on one of my bars I am able to find the three "one-hour-timespans" with the highest count of events. (this way I am trying to get the timespans with the highest possibility, of containing the reason for an anomaly.) alt text

The search:

index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$ | timechart  COUNT  span=1h  | sort  -COUNT   | head  3

But what I'd like to do is, that the events of the three timespans are displayed, when I click on one of the bars.

Is that possible and how? I played around a lot with the map-command and some other things, but it seems I'm not able to do this on my own.

Thanks in advance.

0 Karma
Highlighted

Re: Is it possible to display events of multiple _time-values at once?

Builder

Maybe you can give an example of your desired resultant search? If I understand it correctly, you want some sort of search according to the messageID you click. If so, you can set up a custom search/panel using the token $click.value2$ as value of messageID.

0 Karma
Highlighted

Re: Is it possible to display events of multiple _time-values at once?

New Member

I'm already using the token. The part "MVSMSG=ICH70001I" of my given search is the "click.value2$" value. So I got this part.

My idea was to somehow get these messages (the ones with MVSMSG=$click.value2$), which were issued in the three time spans I selected.

But I wasn't able to find out if it is even possible to display events of time spans that are not contiguous.

0 Karma
Highlighted

Re: Is it possible to display events of multiple _time-values at once?

Legend

Hi @MBehm,
if I correctly understood your request, you should pass in drilldown the value on click and the extremes of time period.
In my dashboard the Time Picher's Token is named "Time", so in drilldown put:

<drilldown>
     <link>your_drilldown_dashboard?token=$click.value2$&TimeDa=$Time.earliest$&TimeA=$Time.latest$</link>
</drilldown>

Then in the drilldown dashboard you have to call the three tokens.

Remember that if you manually modify code in Splunk editor, when you have & you have to insert &amp;

Ciao.
Giuseppe

View solution in original post

0 Karma
Highlighted

Re: Is it possible to display events of multiple _time-values at once?

New Member

Thank you very much !
I was just not thinking about another Dashboard.
Works fine, the way you mentioned it. 🙂

0 Karma
Highlighted

Re: Is it possible to display events of multiple _time-values at once?

Esteemed Legend

You are overcomplicating things. You already know what your base search is that is in front of your timechart command and you already have your timepicker fields as tokens, so just hardcode your drilldown as

<drilldown>
    <link target="_blank">search?q=index="myIndex" AND MVSMSG=ICH70001I earliest=$earliest$ latest=$latest$</link>
</drilldown>
0 Karma