Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I perform math calculations within my XML ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonx10000
New Member
11-19-2018
02:49 PM
I would like to use a drilldown token created from clicking a bar on a timechart and add 1800 to the value and use it in the "latest" tag in the new chart that generates. Here's what I currently have:
<form>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query></query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">$click.$value$</option>
<drilldown>
<condition>
<set token="accountNumber">$click.value$</set>
<set token="myAccount">$click.value$</set>
</condition>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$myAccount$">
<title>$myAccount$</title>
<chart>
<search>
<query>accountId=$accountNumber$ | timechart count()</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.drilldown">all</option>
<drilldown>
<condition>
<set token="timeSpan">$click.value$</set>
**<eval token="timeSpan2">'click.value$ + 500</eval>**
</condition>
</drilldown>
</chart>
</panel>
<panel depends="$timeSpan$">
<chart>
<search>
<query>accountId=$accountNumber$ | timechart count()</query>
<earliest>$timespan$</earliest>
<latest>**$timeSpan2$**</latest>
</search>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
</form>
I cleared out most of the fluff to make it a bit easier to read through. The $timeSpan$ token works perfectly fine but how do I add 1800 to $timeSpan$ and set that to token $timeSpan2$?
Thank you,
Jonathan
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
11-20-2018
08:35 AM
@jonx10000 ,
Try
<form>
<label>Time Additions</label>
<fieldset submitButton="false">
<input type="time" token="TimeInputToken">
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_*|timechart count by sourcetype</query>
<earliest>$TimeInputToken.earliest$</earliest>
<latest>$TimeInputToken.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<drilldown>
<set token="Clicked_Earliest">$earliest$</set>
<set token="Clicked_Latest">$latest$</set>
<eval token="Added">$latest$+500</eval>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<h1>
Earliest : $Clicked_Earliest$ Latest : $Clicked_Latest$ Added : $Added$
</h1>
</html>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>index=_*|stats earliest(_time) as Earliest,latest(_time) as Latest</query>
<earliest>$Clicked_Earliest$</earliest>
<latest>$Added$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
11-20-2018
08:35 AM
@jonx10000 ,
Try
<form>
<label>Time Additions</label>
<fieldset submitButton="false">
<input type="time" token="TimeInputToken">
<label>Time</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_*|timechart count by sourcetype</query>
<earliest>$TimeInputToken.earliest$</earliest>
<latest>$TimeInputToken.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<drilldown>
<set token="Clicked_Earliest">$earliest$</set>
<set token="Clicked_Latest">$latest$</set>
<eval token="Added">$latest$+500</eval>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<h1>
Earliest : $Clicked_Earliest$ Latest : $Clicked_Latest$ Added : $Added$
</h1>
</html>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>index=_*|stats earliest(_time) as Earliest,latest(_time) as Latest</query>
<earliest>$Clicked_Earliest$</earliest>
<latest>$Added$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonx10000
New Member
11-20-2018
02:14 PM
I actually have one more question is it possible to do math operations within an eval if statement?
<eval token="timeLatestToken">if('TimeInputToken.latest'-'TimeInputToken.earliest'>86000, 'timeEarliestToken'+86400, 'timeEarliestToken'+1800)</eval>
Is it possible to perform an operation like this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonx10000
New Member
11-20-2018
09:44 AM
Beautiful thank you. I did attempt to add within the eval tag before but I did not realize the spaces were effecting it.
Get Updates on the Splunk Community!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
The Defining Technology Movement of Our Lifetime
The advent of agentic AI is arguably the defining technology ...
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...
Your summer travels continue with new course releases
Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
