Hi guys
I have a problem here and I need ur help!
I have a table in a dashboard with column _time. I would like to rename _time as time so I tried 2 methods to do that.
Method A:
index="from_host_demo" source="Perfmon:Network Interface" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time | table time collection counter Value
and Method B:
index="from_host_demo" source="Perfmon:Network Interface" | rename _time as time | table time collection counter Value| fieldformat time=strftime(time, "%Y/%m/%d %T")
Both methods work well and I got what I wanted, but I soon found I got no event if I drill down from tables and I see the format of _time causes this problem.
For example, if I drill down the second table, the search line would be
index="from_host_demo" source="Perfmon:Network Interface" Value="283.51863284535062" | eval time=_time | search time="2015/07/30 11:26:34"
and got no events. But if I change the search line into
index="from_host_demo" source="Perfmon:Network Interface" Value="283.51863284535062" | eval time=_time | search time="1438226794"
then the event I want comes out.
So I tried to change the drilldown link as below:
<drilldown target="_blank">
<link>
<![CDATA[search?q=index="from_host_demo" collection="$row.collection$" counter="$row.counter$" Value="$row.Value$" | convert timeformat="%Y/%m/%d %T" ctime(_time) as time |where time="$row.time$"]]>
</link>
</drilldown>
If I drill down the table, it comes out "loading" and will not even show any result! However, when I typed the search line in the search page without tokens, but with data, it worked!
So what I want is to rename the _time column, but still have the drilldown function work. What should I do to solve this problem? And by the way, what is the difference between method A and method B? Thx a lot!
... View more