I have a main dashboard which passes the date of the row which is clicked to a drilldown. The drilldown is supposed to display results for the date specified by the main dashboard.
From the main dashboard I am passing the Date in the format "%m/%d/%Y" (Eg. 04/25/2018) to the drilldown as follows,
In the drilldown I am trying to use this date as the earliest time as follows,
.............
<search>
<query>sourcetype=*** index=abc earliest=$row_time$ searchtimespandays=1|
.....
</query>
</search>
But the above drilldown complains that the date specified is invalid for 'earliest'.
When I hardcode the value of earliest to "earliest=04/25/2018:0:0:0", the drilldown works fine.
So I think I need to form a time with the format "%m/%d/%Y:%H:%M:%S" before assigning it to 'earliest'.
So could you please help me out on how to append "0:0:0' to the date that is passed to the drilldown. Expecting the following,
earliest = '$row_time$' + '0:0:0'
Thanks in advance,
Swaroop
Try this
<query>sourcetype=*** index=abc earliest="$row_time$:00:00:00" searchtimespandays=1|..rest of the search
Try using $row._time$
instead.
Thank you very much for the quick response.. Appreciate it !!
I forgot to add that I wanted my search to run specifically from 12AM, as I wanted to display the drilldown data for one complete day.
For best results, you need to pass that value in epoch time, not in human format.
That can be done fairly simply by returning the epoch value in a hidden column and using that as the drill down value instead.
See the second answer in this post - https://answers.splunk.com/answers/26825/drilldown-from-a-hidden-column.html for the way to do that, with a method available since Splunk 6.0+.
Thank you very much for the pointer. I am quiet not sure on the version of splunk that I am using, as it is a customized enterprise version.
The knowledge would sure help going forward.
Try this
<query>sourcetype=*** index=abc earliest="$row_time$:00:00:00" searchtimespandays=1|..rest of the search
Thank you very much.. This worked for me!!