Solved: Re: Using a timechart click.value as the midpoint ...

Braagi · ‎03-19-2025

So, have a timechart with multiple streams.
Call them X, Y, and Z.
Run the panel for a 4h timeframe.
I want to click a peak or valley on one of the lines, take the name of that line (got this part done) and the exact time that was clicked on ( I think this is click.value ) and pass them to another panel in the same dashboard.
The "click.value" should be an epoch time...aka a number... so I should be able to add or subtract say 300 from that number and use them as the earliest and latest variables for a search.
Effectively I want to do ("click.value"-300) for earliest and ("click.value"+300) for latest on another panel making it a 10 minute window with the point that was clicked on being the mid-point.
I have tried in-line :

<set token="Drill_time_1">$click.value$ - 300</set>
<set token="Drill_time_2">$click.value$ + 300</set>

I have tried in-search :

earliest=$Drill_time_1$-300 latest=$Drill_time_2$+300

...And various combinations there-of.

All to no avail. Anyone have an idea?

bowesmana · ‎03-19-2025

@Braagi In your drilldown use an <eval> token setter, i.e.

        <drilldown>
          <eval token="drill_time_start">$click.value$-300</eval>
          <eval token="drill_time_end">$click.value$+300</eval>
        </drilldown>

View solution in original post

livehybrid · ‎03-20-2025

Hi @Braagi

I would use eval for this rather than set. Have a look at the example below which uses a timechart as you mentioned and then sets the earliest/latest for a stats table on the left:

<dashboard version="1.1" theme="light">
  <label>AnswersTesting</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|tstats count where index=_internal earliest=$form.earliest$ latest=$form.latest$ by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>ClickVal = $form.earliest$ - $form.latest$</title>
      <chart>
        <search>
          <query>|tstats count where index=_internal by _time, host span=1m | timechart span=1m sum(count) as count by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="form.earliest">$click.value$-300</eval>
          <eval token="form.latest">$click.value$+300</eval>
        </drilldown>
      </chart>
    </panel>
  </row>
</dashboard>

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

bowesmana · ‎03-19-2025

@Braagi In your drilldown use an <eval> token setter, i.e.

        <drilldown>
          <eval token="drill_time_start">$click.value$-300</eval>
          <eval token="drill_time_end">$click.value$+300</eval>
        </drilldown>

Using a timechart click.value as the midpoint of another panel's earliest and latest

other

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation