Hi,
I have created a view which display list of username in a table.When user clicks on any user name, all the events for that user name are displayed in a new panel.I am using row drilldown to pass the parameter.But i am facing following issue:-
The events are coming fine for last 2-3 months.But it does not show the events older than 5-6 months.The no of results header is showing correct number as expected.
These events are also displayed in flashtimeline when used the same query.
Please help me with this.
Thanks for your time.
`
<module name=textfield>
<param name=name>search_filter</param>
<param name=template>$value$</param>
<module name=timerangepicker>
<module name=button>
<module name=Search>
<param name=search>index= xyz| table User</param>
<module name="SimpleResultHeader>
<module name="Pager">
<module name=SimpleResultsTable>
<param name="entityname>Results</param>
<param name=drilldown>Rows</param>
<param name=fields>User</param>
<module name=Search>
<param name=search>index= xyz |search user=$click.fields.User$</param>
<module name=SimpleResultsHeader>
<param name=events>
<module name=EventViewer>
</module>
</module>
</module>
</module>
</module>
</module>
`
Please excuse syntax errors as i have not copy paste the code
Not strictly a solution to your problem, but it would be a REALLY good idea to rewrite your second search. Right now it retrieves ALL events from the xyz
index, THEN a separate search takes these events and filters out the ones with the clicked user. A much better idea would be to put this search term in the same search as "index=xyz" instead.
Could you paste some example XML. Just at a wild stab, it sounds to me like the drilldown may be inheriting a different time range to the one that you want it to use, without the search string or XML its hard to tell..
thanks for ur time.added the xml to question
No,the logs are fine.The result with the same query are getting displayed in default search.
Did something happen with the format of the logs 5-6 months ago? Maybe fields aren't getting extracted correctly? Do you see fields properly if you check these logs in the default search view?