Bar Chart Drilldown To Dynamically Generate Event ...

OrionCulver · ‎11-09-2023

Hi,
I have bar chart powered by a query that uses an eval case pattern to group events into apps. e.g.,

index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
| eval AppName = case(
(SourceName="Foo" AND Message="*Bar*"), "app1",
(SourceName="Foo"), "app2",
(source="Mtn" AND 'Properties.Service'="Barf"), "app3",
(SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")), "app4",
)
| stats count as ErrorCount by AppName

What I'd like to do is have each bar, when clicked, open a new window that shows the events corresponding to the app. e.g., for the above example, the queries would be:

index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Foo" AND Message="*Bar*")


index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Foo")


index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(source="Mtn" AND 'Properties.Service'="Barf")


index=blah
NOT "*test*"
NOT "*exe*"
Level=Error
(SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*"))

The problem I am having is how to make the drilldown xml node function thusly. I thought I could use conditional tokens, but when condition nodes are in the drilldown node, I get an error saying "link cannot be condition", even though the link node is the last sibling of all the condition nodes.

Please help!

Thanks,

Orion

OrionCulver · ‎11-14-2023

<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<condition match="$click.value$="Mailer"">
<set token="app_query">(SourceName="KmsService" AND Message="*Mailer(*")</set>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&earliest=$start_time$&latest=$end_time$</link>
</condition>
<condition match="$click.value$="SPackager"">
<set token="app_query">(SourceName="KmsService" AND Message="*SPackager(*")</set>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&earliest=$start_time$&latest=$end_time$</link>
</condition>
<condition match="$click.value$="Hancock"">
<set token="app_query">(SourceName="KmsService" AND Message="*Hancock(Ver:*")</set>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&earliest=$start_time$&latest=$end_time$</link>
</condition>
</drilldown>
</chart>
</panel>
</row>
</form>

ITWhisperer · ‎11-14-2023

Rather than using condition in the drilldown, try using eval to set app_query using a case function with a case for each app name.

<drilldown>
  <eval token="app_query">case($click.value$=="Mailer","(SourceName=&quot;KmsService&quot; AND ...

OrionCulver · ‎11-14-2023

excellent! I'll try that. any idea why clicking on a line in a line chart won't open in a new window?

ITWhisperer · ‎11-14-2023

It should do - which version of Splunk are you using?

OrionCulver · ‎11-14-2023

9.0.5.1

apparently, it had something to do w/ what I was originally trying. target blank is working now, but the token isn't.

<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">
case(
$click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",
$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",
$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",
$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",
$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",
$click.value$=="SecurePackageDelivery", "(source="ivssspd")",
$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",
$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",
$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",
$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",
$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",
$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",
$click.value$=="KmsService", "(SourceName="KmsService")",
$click.value$=="AutoSigner", "(SourceName="AutoSigner")",
$click.value$=="DebugToken", "(SourceName="DebugToken")",
$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",
$click.value$=="KeyBundler", "(SourceName="KeyBundler")",
$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",
$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",
$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",
$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",
$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",
$click.value$=="SecureRekey", "(SourceName="SecureRekey")",
$click.value$=="SecureSigner", "(SourceName="SecureSigner")",
$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",
$click.value$=="TRON", "(SourceName="TRON")",
$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",
$click.value$=="MMU", "(SourceName="MMU")"
)
</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>

that xml ends up w/ the token not getting turned into the token's value in the search window - it remains "$app_query$", like this:

(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
$app_query$

ITWhisperer · ‎11-14-2023

Please share your dashboard code in a code block to preserve original formatting.

OrionCulver · ‎11-14-2023

<form version="1.1" theme="dark">
  <label>Error Overview</label>
  <description>These charts only show apps having errors in the selected time frame</description>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Across Time</title>
      <chart>
        <search>
          <query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", 
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", 
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", 
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", 
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="height">500</option>
        <option name="refresh.display">progressbar</option>
        <drilldown target="_blank">
          <eval token="app_query">
            case(
              $click.value$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",
              $click.value$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",
              $click.value$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",
              $click.value$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",
              $click.value$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",
              $click.value$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",
              $click.value$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",
              $click.value$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",
              $click.value$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",
              $click.value$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",
              $click.value$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",
              $click.value$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",
              $click.value$=="KmsService", "(SourceName=&quot;KmsService&quot;)",
              $click.value$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",
              $click.value$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",
              $click.value$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",
              $click.value$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",
              $click.value$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",
              $click.value$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",
              $click.value$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",
              $click.value$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",
              $click.value$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",
              $click.value$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",
              $click.value$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",
              $click.value$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",
              $click.value$=="TRON", "(SourceName=&quot;TRON&quot;)",
              $click.value$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",
              $click.value$=="MMU", "(SourceName=&quot;MMU&quot;)"
            ) 
          </eval>
          <eval token="start_time">$row._time$</eval>
          <eval token="end_time">$row._time$ + $row._span$</eval>
          <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&amp;earliest=$start_time$&amp;latest=$end_time$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>

ITWhisperer · ‎11-14-2023

The case function in the token evaluation has to be all on one line.

OrionCulver · ‎11-14-2023

no luck - still getting $app_query$ as a string in the query as before. here's the updated dashboard xml:

<form version="1.1" theme="dark">
  <label>Error Overview</label>
  <description>These charts only show apps having errors in the selected time frame</description>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Across Time</title>
      <chart>
        <search>
          <query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", 
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", 
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", 
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", 
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="height">500</option>
        <option name="refresh.display">progressbar</option>
        <drilldown target="_blank">
          <eval token="app_query">case($click.value$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",$click.value$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",$click.value$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",$click.value$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",$click.value$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",$click.value$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",$click.value$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",$click.value$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",$click.value$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",$click.value$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",$click.value$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",$click.value$=="KmsService", "(SourceName=&quot;KmsService&quot;)",$click.value$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",$click.value$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",$click.value$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",$click.value$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",$click.value$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",$click.value$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",$click.value$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",$click.value$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",$click.value$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",$click.value$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",$click.value$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",$click.value$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",$click.value$=="TRON", "(SourceName=&quot;TRON&quot;)",$click.value$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",$click.value$=="MMU", "(SourceName=&quot;MMU&quot;)")</eval>
          <eval token="start_time">$row._time$</eval>
          <eval token="end_time">$row._time$ + $row._span$</eval>
          <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&amp;earliest=$start_time$&amp;latest=$end_time$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>

ITWhisperer · ‎11-14-2023

Try using $app_query|u$ in the link to URL encode the token value

OrionCulver · ‎11-14-2023

it's still happening - just not with $app_query|u$ showing as a string in the query. see the xml & screenshot below:

<form version="1.1" theme="dark">
  <label>Error Overview</label>
  <description>These charts only show apps having errors in the selected time frame</description>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Across Time</title>
      <chart>
        <search>
          <query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", 
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", 
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", 
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", 
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="height">500</option>
        <option name="refresh.display">progressbar</option>
        <drilldown target="_blank">
          <eval token="app_query">case($click.value$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",$click.value$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",$click.value$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",$click.value$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",$click.value$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",$click.value$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",$click.value$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",$click.value$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",$click.value$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",$click.value$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",$click.value$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",$click.value$=="KmsService", "(SourceName=&quot;KmsService&quot;)",$click.value$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",$click.value$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",$click.value$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",$click.value$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",$click.value$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",$click.value$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",$click.value$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",$click.value$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",$click.value$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",$click.value$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",$click.value$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",$click.value$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",$click.value$=="TRON", "(SourceName=&quot;TRON&quot;)",$click.value$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",$click.value$=="MMU", "(SourceName=&quot;MMU&quot;)")</eval>
          <eval token="start_time">$row._time$</eval>
          <eval token="end_time">$row._time$ + $row._span$</eval>
          <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&amp;earliest=$start_time$&amp;latest=$end_time$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>

ITWhisperer · ‎11-14-2023

Rather than $click.value$, try $click.name2$

OrionCulver · ‎11-14-2023

just tried, same result

<form version="1.1" theme="dark">
  <label>Error Overview</label>
  <description>These charts only show apps having errors in the selected time frame</description>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Across Time</title>
      <chart>
        <search>
          <query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", 
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", 
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", 
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", 
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="height">500</option>
        <option name="refresh.display">progressbar</option>
        <drilldown target="_blank">
          <eval token="app_query">case($click.name2$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",$click.name2$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",$click.name2$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",$click.name2$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",$click.name2$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",$click.name2$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",$click.name2$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",$click.name2$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",$click.name2$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",$click.name2$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",$click.name2$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",$click.name2$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",$click.name2$=="KmsService", "(SourceName=&quot;KmsService&quot;)",$click.name2$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",$click.name2$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",$click.name2$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",$click.name2$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",$click.name2$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",$click.name2$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",$click.name2$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",$click.name2$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",$click.name2$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",$click.name2$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",$click.name2$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",$click.name2$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",$click.name2$=="TRON", "(SourceName=&quot;TRON&quot;)",$click.name2$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",$click.name2$=="MMU", "(SourceName=&quot;MMU&quot;)")</eval>
          <eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval>
          <eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval>
          <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&amp;earliest=$start_time$&amp;latest=$end_time$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>

ITWhisperer · ‎11-14-2023

Try something like this

        <drilldown>
          <eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval>
          <eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval>
          <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0D%0ANOT%20%22*ivss-test*%22%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0D%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0D%0ANOT%20(SourceName%3DLogging)%0D%0ANOT%20(SourceName%3DADFSAuth)%0D%0ANOT%20(SourceName%3DSchannel)%0D%0ANOT%20%22*PackageExtractor.exe*%22%0D%0ANOT%20%22*w3wp.exe*%22%0D%0ANOT%20%22*openssl.exe*%22%0D%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0D%0A%7C%20eval%20AppName%20%3D%20case(%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Mailer(*%22)%2C%20%22Mailer%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*SPackager(*%22)%2C%20%22SPackager%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Hancock(Ver%3A*%22)%2C%20%22Hancock%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*GVMSAuth(Ver%3A*%22)%2C%20%22GVMSAuth%22%2C%20%0D%0A(source%3D%22Cloud.SecurePnC%22)%2C%20%22Cloud_SecurePnC%22%2C%0D%0A(source%3D%22ivssspd%22)%2C%20%22SecurePackageDelivery%22%2C%0D%0A(sourcetype%3D%22WinEventLog%3ASystem%22%20AND%20EventCode%3D5074)%2C%20%22AppPool_Restarts%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureConnect%22)%2C%20%22Cloud_SecureConnect%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureMessage%22)%2C%20%22Cloud_SecureMessage%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22FPackager%22)%2C%20%22Cloud_FPackager%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureMessage.*%22))%2C%20%22SecureMessage%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureConnect.*%22))%2C%20%22SecureConnect%22%2C%0D%0A(SourceName%3D%22KmsService%22)%2C%20%22KmsService%22%2C%0D%0A(SourceName%3D%22AutoSigner%22)%2C%20%22AutoSigner%22%2C%0D%0A(SourceName%3D%22DebugToken%22)%2C%20%22DebugToken%22%2C%0D%0A(SourceName%3D%22FlashbackCache%22)%2C%20%22FlashbackCache%22%2C%0D%0A(SourceName%3D%22KeyBundler%22)%2C%20%22KeyBundler%22%2C%0D%0A(SourceName%3D%22SecureModuleCore%22)%2C%20%22SecureModuleCore%22%2C%0D%0A(SourceName%3D%22SecureOTACore%22)%2C%20%22SecureOTACore%22%2C%0D%0A(SourceName%3D%22SecurePaaK%22)%2C%20%22SecurePaaK%22%2C%0D%0A(SourceName%3D%22SecurePayloadCore%22)%2C%20%22SecurePayloadCore%22%2C%0D%0A(SourceName%3D%22SecurePnCCore%22)%2C%20%22SecurePnCCore%22%2C%0D%0A(SourceName%3D%22SecureRekey%22)%2C%20%22SecureRekey%22%2C%0D%0A(SourceName%3D%22SecureSigner%22)%2C%20%22SecureSigner%22%2C%0D%0A(SourceName%3D%22SupplierFeed%22)%2C%20%22SupplierFeed%22%2C%0D%0A(SourceName%3D%22TRON%22)%2C%20%22TRON%22%2C%0D%0A(SourceName%3D%22WSLAgent5%22)%2C%20%22WSLAgent5%22%2C%0D%0A(SourceName%3D%22MMU%22)%2C%20%22MMU%22%2C%0D%0A1%3D%3D1%2C%20%22Other%22)%0D%0A%7C%20where%20AppName%3D&quot;$click.name2$&quot;&amp;earliest=$start_time$&amp;latest=$end_time$</link>
        </drilldown>

OrionCulver · ‎11-14-2023

The difficulty is that click.name2 is the group by in the query, which is dynamically determined by the eval in the query (the AppName). That AppName is for making the chart human readable, but the drill down need to "convert" the AppName back into the search terms used for the clicked on AppName. e.g., the app named GVMSAuth is really the search terms (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), as far as seeing the event logs.

Does that make sense?

OrionCulver · ‎11-14-2023

I tried removing all my custom xml & use the drilldown ui to generate the evals. then I went to the xml to add the link back in. interestingly, the value for the token app_query is getting passed to the new search window, but it is url escaped, so the query returns no results.

OrionCulver · ‎11-14-2023

great - I removed the "|u" from the token in the link, in case that might not escape the double quotes, but the search window went back to jsut showing the token name, not value. I put the "|u" back, but the search window is now persisting showing the token name, not value. it's almost like the splunk xml parser is behaving inconsistently.

OrionCulver · ‎11-14-2023

this is a portion of my dashboard xml, due to the 20k character limit.

OrionCulver · ‎11-14-2023

apparently, the line chart drill down also isn't opening in a new window/tab, in spite of target="_blank"

ITWhisperer · ‎11-14-2023

Please share your dashboard code

Bar Chart Drilldown To Dynamically Generate Event Query

drilldown

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio