Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

View events changes timeframe

shayhibah
Path Finder
‎10-14-2018 02:56 AM

I have dashboards with drill down option.
The drill down query contains custom earliest and latest tokens since there was an issue with the time frame.

<link>....|rename "0" as "High" "1" as "Critical" | table _time,"Critical","High"&amp;earliest=$clicked_earliest_date$&amp;latest=$clicked_latest_date$</link>

After drilling down, the time frame is correct (based on the clicked event time value):
** 158 events (9/14/18 12:00:00.000 AM to 9/15/18 12:00:00.000 AM) **

But, when click on the results and choose "view events", the time frame is changed to its old value (which was wrong - 1 ms instead of 2 days).
0 events (9/14/18 12:00:00.000 AM to 9/14/18 12:00:00.001 AM)

How can I fix it?

Tags (1)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-16-2018 02:41 AM

Which is your splunk version and it will be good if you post your Dashboard XML code (Mask any sensitive data) ?

For me it is working fine in Splunk 7.1.2with below test Dashboard XML

<form>
  <label>dashboard test 1</label>
  <row>
    <panel>
      <input type="time" token="time_tok" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table>
        <search>
          <query>index=_internal | head 10 | stats count by host</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=index=_internal host=$row.host$ bytes=* | table bytes&amp;earliest=$time_tok.earliest$&amp;latest=$time_tok.latest$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

shayhibah
Path Finder
‎10-14-2018 10:19 PM

Any expert?

0 Karma
Reply

Vijeta
Influencer
‎10-15-2018 12:26 PM

Try form.earliest =$clicked_earliest_date$&form.latest=$clicked_latest_date$ in your link tag

0 Karma
Reply

shayhibah
Path Finder
‎10-15-2018 10:16 PM

hi @Vijeta

Unfortunately it does not work.
After drill down the first time, I clicked on the cell in the table and before clicking on view events, I noticed that in this small picker, the timeframe is wrong and not the same as the search bar.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...