Hello,
Here is the the description of process and what I am looking for. User is aware of zooming in chart, but wants a second chart in drill down with click.
1) This is the first time chart search
index=xxxx sourcetype=aaaa earliest=-7d latest=now | fields TA, TM| timechart span=15m max(TM), avg(TA)
2) From this chart when user clicks a point I want to add and subtract some time to use for next chart.
3) Here is the second time chart search
index=xxxx sourcetype=aaaa earliest="$calculated_earliest_time$" latest=$calculated_latest_time$" | fields TA, TM| timechart span=1sec max(TM), avg(TA)
Example of calculated_earliest_time and calculated_latest_time in the above query
calculated_earliest_time = selected_time - 30 minutes
calculated_latest_time = selected_time + 30 minutes.
Although I can add eval functions to restrict the time frame by using pipe I do not want the second search redeing events that
are outside the the sepcified time range.
I want to use calculated time fields in beginning of the second time chart search.
I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query
The subsearch would be something like
[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)
Hello ramadaspr,
It is resolved now. I could call use the search above (including sub search) in the dashboard.
Thank You for your help.
ramadaspr,
You are correct, your your intial search example works. What I did not realize was there was an issue with splunk forwarder and it did not forward the data to splunk for the period I was looking for. It is now resolved.
Now I am trying to use it in my dashboard xml. When I click on time point on the graph it still awaits on "search on waiting for input"
Still researching what is the issue. I could be something do to with the "$" sign used in tokens in the search.
[ search index=xxxx |head 1|eval earliest=$selected_time$-300|eval latest=$selected_time$+300
| table earliest latest|format "(" "(" "" ")" "OR" ")"\] index=xxxxsourcetype=aaaa Monitor
| fields Throughput_Avg, Throughput_Max| timechart span=1sec max(Throughput_Max), avg(Throughput_Avg)
The subsearch i provided shouldnt be causing that issue and it only outputs a string which is used by the following query. Does your query provide any results when you fire it without the subsearch?
Another query you can try is.
[|gentimes start=-1| eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] your query here
You can also try Raghav's approach mentioned @ http://answers.splunk.com/answers/215176/subtracting-30-minutes-from-passed-drilldown-param.html
Thomra and Ramdaspr,
Thank you for your ressponse.
Seemed Ramdaspr answers response seem to be closer to the issue to the resolution I am looking for.
Ramdaspr,
I have tried your suggestion and it does not return any data. If I remove sourcetype from the query it returns data within the desired time frame desired (- 30 minutes to +30 minutes), which is not the data I am looking for since this index has muliple sourcetypes. I tried both ways below with source type and did no get any data. Is there some other way the search need to be rewritten to produce the desired result
a) [search index=xxxx |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa
2) [search index=xxxx|head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest,sourcetype | format "(" "(" "" ")" "OR" ")"] index=xxxx
I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query
The subsearch would be something like
[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)
I'm adding this in case any one else finds this as I did. If you want to use this to modify the time range of a chart in a dashboard with a shared time picker then you have to deal with $time.latest$ will spit out "now" if the latest time is now, or epoch time if it's not. to get round this you can add something like this
eval earliest=if("$time.latest$" == "now","-2m",$time.latest$-120)
so I was wanting to limit this particular chart to the latest 2mins of the selected time range.
Tokens may work for you. You can pass the timeframe the user clicks and perform your search. You can add:
row depends="$token$"
To prevent the row from showing until the token is present, i.e. user clicks.
While this will not do the add/subtract time you get close. I have a similar situation where I want to expand the tie defined by the token, only way I see to do that is with a little JS. This is on my todo list to finalize a current project.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/tokens