We have an existing Drill down that currently works. We are adding 2 new lines to the drilldown that filter out computers that have not logged into AD in the last 30 days. Once the 2 new lines are added the drill down starts returning blank pages, a search page with nothing in the search field and not data or just a generic error.
These are the two new lines, the error must be here:
| eval ad_logon1=strptime(ad_lastLogon,"%Y-%m-%d")
| where ad_logon1 > relative_time(now(),"-30d@d") OR isnull(ad_lastLogon)
Here is my current drill down, I have tried different codes for @ , % " > < but none of them seem to work:
<drilldown>
<link target="_blank">search?q=index=autocompliance $ac_division$ platform=Server $StillNeedToFixDNS$ earliest=$period.earliest$ latest=$period.latest$
NOT [search index=autocompliance sourcetype=autocompliance $division$ platform=Server fw=Yes $StillNeedToFixDNS$ earliest=$period.earliest$ latest=$period.latest$
| dedup hostname
| fields hostname
| union
[| inputlookup exceptions
| search $division$ ac_fw=1
| fields hostname]]
| dedup hostname
| eval ad_logon1=strptime(ad_lastLogon%2C%22%25Y-%25m-%25d%22)
| where ad_logon1 > relative_time(now()%2C%22-30d%40d%22) OR isnull(ad_lastLogon)
| table hostname</link>
</drilldown>
Any Ideas and thanks!
@dpelletier@aicpcc.com ,
Tried copying your search to drilldown and it works. Easiest way is to edit drilldown from the panel , select "Link to search " , select custom and add your search there. In this way , you dont need to worry about XML escaping.
or try changing the where
clause to
|where ad_logon1 > relative_time(now(),"-30d@d") OR isnull(ad_lastLogon)| table hostname