Dashboards & Visualizations

How can I modify earliest time and latest time before passing these tokens set on click from chart to another?

sduddilla
Path Finder

Hello,
Here is the the description of process and what I am looking for. User is aware of zooming in chart, but wants a second chart in drill down with click.
1) This is the first time chart search
index=xxxx sourcetype=aaaa earliest=-7d latest=now | fields TA, TM| timechart span=15m max(TM), avg(TA)

2) From this chart when user clicks a point I want to add and subtract some time to use for next chart.

token="selected_time">$click.value$

3) Here is the second time chart search
index=xxxx sourcetype=aaaa earliest="$calculated_earliest_time$" latest=$calculated_latest_time$" | fields TA, TM| timechart span=1sec max(TM), avg(TA)

    Example of calculated_earliest_time and calculated_latest_time in the above query
          calculated_earliest_time = selected_time - 30 minutes
          calculated_latest_time = selected_time + 30 minutes.

    Although I can add eval functions to restrict the time frame by using pipe I do not want the second search redeing events that 
    are  outside the the sepcified time range.
    I want to use calculated time fields in beginning of the second time chart search.
1 Solution

ramdaspr
Contributor

I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query

The subsearch would be something like

[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)

View solution in original post

sduddilla
Path Finder

Hello ramadaspr,
It is resolved now. I could call use the search above (including sub search) in the dashboard.
Thank You for your help.

0 Karma

sduddilla
Path Finder

ramadaspr,
You are correct, your your intial search example works. What I did not realize was there was an issue with splunk forwarder and it did not forward the data to splunk for the period I was looking for. It is now resolved.
Now I am trying to use it in my dashboard xml. When I click on time point on the graph it still awaits on "search on waiting for input"
Still researching what is the issue. I could be something do to with the "$" sign used in tokens in the search.

    [ search index=xxxx |head 1|eval earliest=$selected_time$-300|eval latest=$selected_time$+300
    | table earliest latest|format "(" "(" "" ")" "OR" ")"\] index=xxxxsourcetype=aaaa Monitor
    | fields Throughput_Avg, Throughput_Max| timechart span=1sec max(Throughput_Max), avg(Throughput_Avg)
0 Karma

ramdaspr
Contributor

The subsearch i provided shouldnt be causing that issue and it only outputs a string which is used by the following query. Does your query provide any results when you fire it without the subsearch?

Another query you can try is.

[|gentimes start=-1| eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"]  your query here

You can also try Raghav's approach mentioned @ http://answers.splunk.com/answers/215176/subtracting-30-minutes-from-passed-drilldown-param.html

sduddilla
Path Finder

Thomra and Ramdaspr,
Thank you for your ressponse.
Seemed Ramdaspr answers response seem to be closer to the issue to the resolution I am looking for.
Ramdaspr,
I have tried your suggestion and it does not return any data. If I remove sourcetype from the query it returns data within the desired time frame desired (- 30 minutes to +30 minutes), which is not the data I am looking for since this index has muliple sourcetypes. I tried both ways below with source type and did no get any data. Is there some other way the search need to be rewritten to produce the desired result

a) [search index=xxxx |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa
2) [search index=xxxx|head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest,sourcetype | format "(" "(" "" ")" "OR" ")"] index=xxxx

0 Karma

ramdaspr
Contributor

I had this issue too and forced the time via a subsearch which will output a string with earliest and latest into the actual search query

The subsearch would be something like

[search index=myindex |head 1 | eval earliest=$tok_1$ -1800 | eval latest=$tok_2$+1800 | table earliest,latest | format "(" "(" "" ")" "OR" ")"] index=xxxx sourcetype=aaaa | fields TA, TM| timechart span=1sec max(TM), avg(TA)

peter_holmes_an
Path Finder

I'm adding this in case any one else finds this as I did. If you want to use this to modify the time range of a chart in a dashboard with a shared time picker then you have to deal with $time.latest$ will spit out "now" if the latest time is now, or epoch time if it's not. to get round this you can add something like this

eval earliest=if("$time.latest$" == "now","-2m",$time.latest$-120)

so I was wanting to limit this particular chart to the latest 2mins of the selected time range.

0 Karma

thomrs
Communicator

Tokens may work for you. You can pass the timeframe the user clicks and perform your search. You can add:

 row depends="$token$"

To prevent the row from showing until the token is present, i.e. user clicks.

While this will not do the add/subtract time you get close. I have a similar situation where I want to expand the tie defined by the token, only way I see to do that is with a little JS. This is on my todo list to finalize a current project.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/tokens

Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...