Here, _time_number is used for time in number and time_number is for time in readable format. Hope at least one option works out for can use different columns for both purposes. | eval time_number=strftime(time_number,"%Y/%m/%d try out and confirm. | eval hiddenTimeEpochForDrilldown=time_number | eval time_number=strftime(time_number,"%Y/%m/%d 4 - hidden field through table SimpleXML configuration optionĬlicked row Time Epoch: $tokTimeNumberOption4$ | eval _hiddenTimeEpochForDrilldown=time_number Option 3 - keep epoch time field hidden by prefixing fieldname with underscore and use for drilldownĬlicked row Time Epoch: $tokTimeNumberOption3$ | eval time_number=strftime(time_number,"%Y/%m/%d %H:%M:%S") | table _time 2 - drilldown eval to set token as epochĬlicked row Time Epoch: $tokTimeNumberOption2$ | eval data=random(), data=substr(data,0,3), delta=300 Option 1 - if _time is the first field in table then use click.value table drilldown token to access epoch timeĬlicked row Time Epoch: $tokTimeNumberOption1$ (Kamlesh also has posted same example.)įollowing is a run anywhere dashboard with examples of all four approaches: If out of 3 fields in the table only 2 are listed in the fields section then, third field is still available for drilldown but not displayed in the table. Option 4: hidden field through Simple XML configuration option. In the example it is _hiddenTimeEpochForDrilldown. Make the epoch timestamp field hidden by prefixing the field name with underscore character. Option 3: Create a separate field for epoch timestamp apart from string time stamp field for displaying in the table. Option 2: the table event handler can have section to convert string time in the table and set token as epoch time. For more information about working with dates and time, see. Additionally, you can use the relativetime () and now () time functions as arguments. You can also use these variables to describe timestamps in event data. Option 1: if _time is the first field in table then use $click.value$ table drilldown token to access epoch time. This topic lists the variables that you can use to define time formats in the evaluation functions, strftime () and strptime (). If you would notice all four tables in the screenshot below show time as string time in the table however, the drilldown token in the table title is epoch. | makeresults | eval if your intent is to display human readable string time in the table however, drilldown using the epoch time, then there are four options you can use including the one suggested by which is available as an example in the Splunk Dashboard Examples app on Splunkbase. | eval _time_number=strptime(time_number,"%Y%m%d %H:%M:%S") 2 | rename comment as "Upto this is for data generation only" | makeresults count=3 | eval Data=1 | accum Data | eval time_number=strftime(_time+Data,"%Y%m%d %H:%M:%S") Can use different columns for both purposes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |