Hi,
I have bar chart powered by a query that uses an eval case pattern to group events into apps. e.g.,
index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
| eval AppName = case(
(SourceName="Foo" AND Message="*Bar*"), "app1",
(SourceName="Foo"), "app2",
(source="Mtn" AND 'Properties.Service'="Barf"), "app3",
(SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")), "app4",
)
| stats count as ErrorCount by AppName
What I'd like to do is have each bar, when clicked, open a new window that shows the events corresponding to the app. e.g., for the above example, the queries would be:
index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Foo" AND Message="*Bar*")
index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Foo")
index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(source="Mtn" AND 'Properties.Service'="Barf")
index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*"))
The problem I am having is how to make the drilldown xml node function thusly. I thought I could use conditional tokens, but when condition nodes are in the drilldown node, I get an error saying "link cannot be condition", even though the link node is the last sibling of all the condition nodes.
Please help!
Thanks,
Orion
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<condition match="$click.value$="Mailer"">
<set token="app_query">(SourceName="KmsService" AND Message="*Mailer(*")</set>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&earliest=$start_time$&latest=$end_time$</link>
</condition>
<condition match="$click.value$="SPackager"">
<set token="app_query">(SourceName="KmsService" AND Message="*SPackager(*")</set>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&earliest=$start_time$&latest=$end_time$</link>
</condition>
<condition match="$click.value$="Hancock"">
<set token="app_query">(SourceName="KmsService" AND Message="*Hancock(Ver:*")</set>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&earliest=$start_time$&latest=$end_time$</link>
</condition>
</drilldown>
</chart>
</panel>
</row>
</form>
Rather than using condition in the drilldown, try using eval to set app_query using a case function with a case for each app name.
<drilldown>
<eval token="app_query">case($click.value$=="Mailer","(SourceName="KmsService" AND ...
excellent! I'll try that. any idea why clicking on a line in a line chart won't open in a new window?
It should do - which version of Splunk are you using?
9.0.5.1
apparently, it had something to do w/ what I was originally trying. target blank is working now, but the token isn't.
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">
case(
$click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",
$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",
$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",
$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",
$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",
$click.value$=="SecurePackageDelivery", "(source="ivssspd")",
$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",
$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",
$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",
$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",
$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",
$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",
$click.value$=="KmsService", "(SourceName="KmsService")",
$click.value$=="AutoSigner", "(SourceName="AutoSigner")",
$click.value$=="DebugToken", "(SourceName="DebugToken")",
$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",
$click.value$=="KeyBundler", "(SourceName="KeyBundler")",
$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",
$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",
$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",
$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",
$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",
$click.value$=="SecureRekey", "(SourceName="SecureRekey")",
$click.value$=="SecureSigner", "(SourceName="SecureSigner")",
$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",
$click.value$=="TRON", "(SourceName="TRON")",
$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",
$click.value$=="MMU", "(SourceName="MMU")"
)
</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
that xml ends up w/ the token not getting turned into the token's value in the search window - it remains "$app_query$", like this:
(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
$app_query$
Please share your dashboard code in a code block to preserve original formatting.
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">
case(
$click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",
$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",
$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",
$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",
$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",
$click.value$=="SecurePackageDelivery", "(source="ivssspd")",
$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",
$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",
$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",
$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",
$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",
$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",
$click.value$=="KmsService", "(SourceName="KmsService")",
$click.value$=="AutoSigner", "(SourceName="AutoSigner")",
$click.value$=="DebugToken", "(SourceName="DebugToken")",
$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",
$click.value$=="KeyBundler", "(SourceName="KeyBundler")",
$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",
$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",
$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",
$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",
$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",
$click.value$=="SecureRekey", "(SourceName="SecureRekey")",
$click.value$=="SecureSigner", "(SourceName="SecureSigner")",
$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",
$click.value$=="TRON", "(SourceName="TRON")",
$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",
$click.value$=="MMU", "(SourceName="MMU")"
)
</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
The case function in the token evaluation has to be all on one line.
no luck - still getting $app_query$ as a string in the query as before. here's the updated dashboard xml:
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">case($click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",$click.value$=="SecurePackageDelivery", "(source="ivssspd")",$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",$click.value$=="KmsService", "(SourceName="KmsService")",$click.value$=="AutoSigner", "(SourceName="AutoSigner")",$click.value$=="DebugToken", "(SourceName="DebugToken")",$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",$click.value$=="KeyBundler", "(SourceName="KeyBundler")",$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",$click.value$=="SecureRekey", "(SourceName="SecureRekey")",$click.value$=="SecureSigner", "(SourceName="SecureSigner")",$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",$click.value$=="TRON", "(SourceName="TRON")",$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",$click.value$=="MMU", "(SourceName="MMU")")</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
Try using $app_query|u$ in the link to URL encode the token value
it's still happening - just not with $app_query|u$ showing as a string in the query. see the xml & screenshot below:
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">case($click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",$click.value$=="SecurePackageDelivery", "(source="ivssspd")",$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",$click.value$=="KmsService", "(SourceName="KmsService")",$click.value$=="AutoSigner", "(SourceName="AutoSigner")",$click.value$=="DebugToken", "(SourceName="DebugToken")",$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",$click.value$=="KeyBundler", "(SourceName="KeyBundler")",$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",$click.value$=="SecureRekey", "(SourceName="SecureRekey")",$click.value$=="SecureSigner", "(SourceName="SecureSigner")",$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",$click.value$=="TRON", "(SourceName="TRON")",$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",$click.value$=="MMU", "(SourceName="MMU")")</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
Rather than $click.value$, try $click.name2$
just tried, same result
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">case($click.name2$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",$click.name2$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",$click.name2$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",$click.name2$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",$click.name2$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",$click.name2$=="SecurePackageDelivery", "(source="ivssspd")",$click.name2$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",$click.name2$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",$click.name2$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",$click.name2$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",$click.name2$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",$click.name2$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",$click.name2$=="KmsService", "(SourceName="KmsService")",$click.name2$=="AutoSigner", "(SourceName="AutoSigner")",$click.name2$=="DebugToken", "(SourceName="DebugToken")",$click.name2$=="FlashbackCache", "(SourceName="FlashbackCache")",$click.name2$=="KeyBundler", "(SourceName="KeyBundler")",$click.name2$=="SecureModuleCore", "(SourceName="SecureModuleCore")",$click.name2$=="SecureOTACore", "(SourceName="SecureOTACore")",$click.name2$=="SecurePaaK", "(SourceName="SecurePaaK")",$click.name2$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",$click.name2$=="SecurePnCCore", "(SourceName="SecurePnCCore")",$click.name2$=="SecureRekey", "(SourceName="SecureRekey")",$click.name2$=="SecureSigner", "(SourceName="SecureSigner")",$click.name2$=="SupplierFeed", "(SourceName="SupplierFeed")",$click.name2$=="TRON", "(SourceName="TRON")",$click.name2$=="WSLAgent5", "(SourceName="WSLAgent5")",$click.name2$=="MMU", "(SourceName="MMU")")</eval>
<eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval>
<eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
Try something like this
<drilldown>
<eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval>
<eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0D%0ANOT%20%22*ivss-test*%22%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0D%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0D%0ANOT%20(SourceName%3DLogging)%0D%0ANOT%20(SourceName%3DADFSAuth)%0D%0ANOT%20(SourceName%3DSchannel)%0D%0ANOT%20%22*PackageExtractor.exe*%22%0D%0ANOT%20%22*w3wp.exe*%22%0D%0ANOT%20%22*openssl.exe*%22%0D%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0D%0A%7C%20eval%20AppName%20%3D%20case(%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Mailer(*%22)%2C%20%22Mailer%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*SPackager(*%22)%2C%20%22SPackager%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Hancock(Ver%3A*%22)%2C%20%22Hancock%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*GVMSAuth(Ver%3A*%22)%2C%20%22GVMSAuth%22%2C%20%0D%0A(source%3D%22Cloud.SecurePnC%22)%2C%20%22Cloud_SecurePnC%22%2C%0D%0A(source%3D%22ivssspd%22)%2C%20%22SecurePackageDelivery%22%2C%0D%0A(sourcetype%3D%22WinEventLog%3ASystem%22%20AND%20EventCode%3D5074)%2C%20%22AppPool_Restarts%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureConnect%22)%2C%20%22Cloud_SecureConnect%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureMessage%22)%2C%20%22Cloud_SecureMessage%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22FPackager%22)%2C%20%22Cloud_FPackager%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureMessage.*%22))%2C%20%22SecureMessage%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureConnect.*%22))%2C%20%22SecureConnect%22%2C%0D%0A(SourceName%3D%22KmsService%22)%2C%20%22KmsService%22%2C%0D%0A(SourceName%3D%22AutoSigner%22)%2C%20%22AutoSigner%22%2C%0D%0A(SourceName%3D%22DebugToken%22)%2C%20%22DebugToken%22%2C%0D%0A(SourceName%3D%22FlashbackCache%22)%2C%20%22FlashbackCache%22%2C%0D%0A(SourceName%3D%22KeyBundler%22)%2C%20%22KeyBundler%22%2C%0D%0A(SourceName%3D%22SecureModuleCore%22)%2C%20%22SecureModuleCore%22%2C%0D%0A(SourceName%3D%22SecureOTACore%22)%2C%20%22SecureOTACore%22%2C%0D%0A(SourceName%3D%22SecurePaaK%22)%2C%20%22SecurePaaK%22%2C%0D%0A(SourceName%3D%22SecurePayloadCore%22)%2C%20%22SecurePayloadCore%22%2C%0D%0A(SourceName%3D%22SecurePnCCore%22)%2C%20%22SecurePnCCore%22%2C%0D%0A(SourceName%3D%22SecureRekey%22)%2C%20%22SecureRekey%22%2C%0D%0A(SourceName%3D%22SecureSigner%22)%2C%20%22SecureSigner%22%2C%0D%0A(SourceName%3D%22SupplierFeed%22)%2C%20%22SupplierFeed%22%2C%0D%0A(SourceName%3D%22TRON%22)%2C%20%22TRON%22%2C%0D%0A(SourceName%3D%22WSLAgent5%22)%2C%20%22WSLAgent5%22%2C%0D%0A(SourceName%3D%22MMU%22)%2C%20%22MMU%22%2C%0D%0A1%3D%3D1%2C%20%22Other%22)%0D%0A%7C%20where%20AppName%3D"$click.name2$"&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
The difficulty is that click.name2 is the group by in the query, which is dynamically determined by the eval in the query (the AppName). That AppName is for making the chart human readable, but the drill down need to "convert" the AppName back into the search terms used for the clicked on AppName. e.g., the app named GVMSAuth is really the search terms (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), as far as seeing the event logs.
Does that make sense?
I tried removing all my custom xml & use the drilldown ui to generate the evals. then I went to the xml to add the link back in. interestingly, the value for the token app_query is getting passed to the new search window, but it is url escaped, so the query returns no results.
great - I removed the "|u" from the token in the link, in case that might not escape the double quotes, but the search window went back to jsut showing the token name, not value. I put the "|u" back, but the search window is now persisting showing the token name, not value. it's almost like the splunk xml parser is behaving inconsistently.
this is a portion of my dashboard xml, due to the 20k character limit.
apparently, the line chart drill down also isn't opening in a new window/tab, in spite of target="_blank"
Please share your dashboard code