Solved: Can you help me on a drilldown parameter please?

jip31 · ‎11-09-2018

hello

From the report below, I want to do a drilldown by Mois (which is the month)

index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:System" EventCode=11 Level=2 Name='Disk'  Mois="$process$" | eval Mois=strftime(_time,"%Y-%m") 
  | dedup _time
| table _time host Type EventCode Mois

in the explorer editor I putted : form.process = $row.Mois$

and in the drilldown report I putted:

index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:System" EventCode=11 Level=2 Name='Disk'  Mois="$process$" | eval Mois=strftime(_time,"%Y-%m")
  | dedup _time
| table _time host Type EventCode

But I have no results
could you help me please??

martin_mueller · ‎11-12-2018

Your initial search is overriding Mois with a year-month string - it's quite possible that your raw data doesn't actually look like that. Hard to be sure though without knowing your data.

View solution in original post

martin_mueller · ‎11-12-2018

Your initial search is overriding Mois with a year-month string - it's quite possible that your raw data doesn't actually look like that. Hard to be sure though without knowing your data.

Vijeta · ‎11-09-2018

what is the query you are using for populating the process token?

jip31 · ‎11-12-2018

hi
| loadjob savedsearch="admin:FO_DiskHealth_Monitoring:FO_DiskHealth_EV"
| search host=$tok_filterhost$
| fields - host

Can you help me on a drilldown parameter please?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes