Hello, I have an issue with getting token into a new dashboard. I build a dashboard for VPN connections. Here is the search for the main dashboard.
index=cisco-ise eventtype="cisco-ise" NAS_Port_Type=Virtual Location="Location#All Locations#bs HCS Domain#*" MESSAGE_CLASS="Passed-Authentication" OR MESSAGE_CLASS="Radius-Accounting" SelectedAccessService="VPN Access Protocols" Acct_Status_Type=Stop
| dedup CPMSessionID user
| eval LogoutTime = strftime(_time, "%d.%m.%Y %H:%M:%S")
| eval LoginTime = strftime((_time-Acct_Session_Time), "%d.%m.%Y %H:%M:%S")
| eval Acct_Input_Octets = round(((Acct_Input_Octets/1024)/1024),3)
| eval Acct_Output_Octets = round(((Acct_Output_Octets/1024)/1024),3)
| eval Acct_Session_Time = tostring(Acct_Session_Time, "duration")
| table LoginTime LogoutTime user Calling_Station_ID Framed_IP_Address Acct_Input_Octets Acct_Output_Octets Acct_Session_Time Acct_Terminate_Cause
| rename user as "Username" Framed_IP_Address as "VPN Client IP Address" Acct_Input_Octets as "MBytes Sent" Acct_Output_Octets as "MBytes Received" Acct_Session_Time as "Duration" Acct_Terminate_Cause as "Logout Reason" Calling_Station_ID as "VPN Client Public IP" LogoutTime as "Logout" LoginTime as "Login"
The result is table, the idea is when clicking on one line of the table another Dashboard shows up with the connections the VPN client established in the time range where he was connected to the VPN. I could manage to pass the source IP to the new Dashboard and it shows all the connections for the IP address. I'd like to limit it to the time where the client actually were connected.
Here is the drilldown section of the first dashboard
<drilldown>
<link target="_self">/app/search/vpn_connectivity_details?src_ip=$row.VPN Client IP Address$&login=$row.Login$&logout=$row.Logout$</link>
</drilldown>
When clicking I get an invalid earliest_time message on the second dashboard Here is the source code for the target dashboard
<dashboard>
<label>VPN Connectivity Details</label>
<row>
<panel>
<table>
<search>
<query>index=cisco-asa eventtype=cisco_connection src_ip=$src_ip$
| table _time src_ip dest_ip src_port dest_port transport bytes_in action</query>
<earliest>$login$</earliest>
<latest>$logout$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">50</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
I guess it has something to with the strtime format of my login and logout Table row. Is there a way to convert it back to a appropriate time format on the fly?
Any ideas are appreciated.
thanks Alex
... View more