This is my current search:
|tstats count as total from datamodel="XXXX" where (nodename=XXX) (EPC_Log.pageName=$pageName_tok$) groupby _time , EPC_Log.onErrorMsg ,span=$timespan_tok$| timechart limit=0 span=$timespan_tok$ sum(total) by EPC_Log.onErrorMsg|eval _earliest=_time|eval _latest=_time+_span
My drilldown looks like this:
<drilldown target="Raw Search Investigation">
<link>
<![CDATA[
/app/search/search?q=search index=app host="XXX" sourcetype="XXX" domain=XXXXX pageName=$pageName_tok$ onErrorMsg="$click.name2$" earliest=$row._time$ latest=$row._latest$
]]>
</link>
</drilldown>
but when I click the new search like this:
index=app host="XXX" sourcetype="XXX" domain=XXX pageName=XXX onErrorMsg="Script" earliest=1447178400.000 latest=$row._latest$
you can see that I can not get the $row._latest$ value.
Could you help me ?
... View more
in my search, I have append this after the timechart: ... | eval _earliest = _time | eval _latest = _time + _span
but in the drilldown I use $row._earliest$ and $row._latest$, I can not get the value
my search:
......| timechart limit=0 span=$timespan_tok$ sum(total) by EPC_Log.onErrorMsg|eval _eraliest=_time|eval _latest=_time+_span
my drilldown :
......onErrorMsg="$click.name2$" earliest=$row._time$ latest=$row._latest$
when i click the query like this:
......onErrorMsg="Script" earliest=1447167600.000 latest=$row._latest$
So you can see, I can get $row._time$ but i can not get the $row._latest$ value
Can you help me ?
... View more
query:
index=app sourcetype=XXXX eventName=xxx | bucket _time span=1m | stats count as total, count(eval(success="false")) as failureCount by _time, eventName | eval successRate=100*(total-failureCount)/total | xyseries _time eventName successRate
I build a line chart like the image.
Now , I want to add drilldown function, how can I get the eventName when I click down.
I have try $click.value$ , $row.field$, $click.value2$, but failed.
... View more