Solved: Re: Can you help me on a drilldown parameter pleas...

jip31 · ‎11-09-2018

hello

From the report below, I want to do a drilldown by Mois (which is the month)

index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:System" EventCode=11 Level=2 Name='Disk'  Mois="$process$" | eval Mois=strftime(_time,"%Y-%m") 
  | dedup _time
| table _time host Type EventCode Mois

in the explorer editor I putted : form.process = $row.Mois$

and in the drilldown report I putted:

index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:System" EventCode=11 Level=2 Name='Disk'  Mois="$process$" | eval Mois=strftime(_time,"%Y-%m")
  | dedup _time
| table _time host Type EventCode

But I have no results
could you help me please??

martin_mueller · ‎11-12-2018

Your initial search is overriding Mois with a year-month string - it's quite possible that your raw data doesn't actually look like that. Hard to be sure though without knowing your data.

View solution in original post

martin_mueller · ‎11-12-2018

Your initial search is overriding Mois with a year-month string - it's quite possible that your raw data doesn't actually look like that. Hard to be sure though without knowing your data.

Vijeta · ‎11-09-2018

what is the query you are using for populating the process token?

jip31 · ‎11-12-2018

hi
| loadjob savedsearch="admin:FO_DiskHealth_Monitoring:FO_DiskHealth_EV"
| search host=$tok_filterhost$
| fields - host

Can you help me on a drilldown parameter please?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Can you help me on a drilldown parameter please?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability