Solved: Re: Using a timechart click.value as the midpoint ...

Braagi · ‎03-19-2025

So, have a timechart with multiple streams.
Call them X, Y, and Z.
Run the panel for a 4h timeframe.
I want to click a peak or valley on one of the lines, take the name of that line (got this part done) and the exact time that was clicked on ( I think this is click.value ) and pass them to another panel in the same dashboard.
The "click.value" should be an epoch time...aka a number... so I should be able to add or subtract say 300 from that number and use them as the earliest and latest variables for a search.
Effectively I want to do ("click.value"-300) for earliest and ("click.value"+300) for latest on another panel making it a 10 minute window with the point that was clicked on being the mid-point.
I have tried in-line :

<set token="Drill_time_1">$click.value$ - 300</set>
<set token="Drill_time_2">$click.value$ + 300</set>

I have tried in-search :

earliest=$Drill_time_1$-300 latest=$Drill_time_2$+300

...And various combinations there-of.

All to no avail. Anyone have an idea?

bowesmana · ‎03-19-2025

@Braagi In your drilldown use an <eval> token setter, i.e.

        <drilldown>
          <eval token="drill_time_start">$click.value$-300</eval>
          <eval token="drill_time_end">$click.value$+300</eval>
        </drilldown>

View solution in original post

livehybrid · ‎03-20-2025

Hi @Braagi

I would use eval for this rather than set. Have a look at the example below which uses a timechart as you mentioned and then sets the earliest/latest for a stats table on the left:

<dashboard version="1.1" theme="light">
  <label>AnswersTesting</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|tstats count where index=_internal earliest=$form.earliest$ latest=$form.latest$ by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>ClickVal = $form.earliest$ - $form.latest$</title>
      <chart>
        <search>
          <query>|tstats count where index=_internal by _time, host span=1m | timechart span=1m sum(count) as count by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="form.earliest">$click.value$-300</eval>
          <eval token="form.latest">$click.value$+300</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

bowesmana · ‎03-19-2025

@Braagi In your drilldown use an <eval> token setter, i.e.

        <drilldown>
          <eval token="drill_time_start">$click.value$-300</eval>
          <eval token="drill_time_end">$click.value$+300</eval>
        </drilldown>

Using a timechart click.value as the midpoint of another panel's earliest and latest

other

timechart

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?