Hello,
So I have the following issue...
Let's say I have a Splunk table, where is a rename on the end. The tokens can have different value, so the final header column is dynamic, as it depends on the token.
| table 1_aaa, 1_bbb, 1_ccc, 2_aaa, 2_bbb, 2_ccc, 3_aaa, 3_bbb, 3_ccc
| rename 1_aaa as "1. $aaa$", 1_bbb as "1. $bbb$", 1_ccc as "1. $ccc$",
2_aaa as "2. $aaa$", 2_bbb as "2. $bbb$", 2_ccc as "2. $ccc$",
3_aaa as "3. $aaa$", 3_bbb as "3. $bbb$", 3_ccc as "3. $ccc$"
The formatting is working properly:
<format type="color" field="1. $aaa$">
<colorPalette type="list">[#5b708f]</colorPalette>
</format>
But the drilldown not. I tried the below conditions, but without success.
<drilldown>
<condition match="$click.name2$ = 1. $aaa$">
<condition match="$click.name2$ = "1. $aaa$"">
<condition match="$click.name2$ = "1. "$aaa$">
<condition match="match('click.name2', 1. $aaa$)">
<condition match="match('click.name2', "1. $aaa$")">
<condition match="match('click.name2', "1. "$aaa$)">
<condition match="match('click.name2', '1. $aaa$')">
Is there a way to do it somehow with such a combination?
P.S.:
As a possible workaround, without a combination of string&token it works properly, but I rather go without it as then I unnecessarily need to create a separate token for each column:
<set token="1_aaa">1. $result.aaa$</set>
<set token="1_bbb">1. $result.bbb$</set>
<set token="1_ccc">1. $result.ccc$</set>
...
| table 1_aaa, 1_bbb, 1_ccc, 2_aaa, 2_bbb, 2_ccc
| rename 1_aaa as "$1_aaa$", 1_bbb as "$1_bbb$", 1_ccc as "$1_ccc$",
2_aaa as "$2_aaa$", 2_bbb as "$2_bbb$", 2_ccc as "$2_ccc$",
3_aaa as "$3_aaa$", 3_bbb as "$3_bbb$", 3_ccc as "$3_ccc$"
...
<format type="color" field="$1_aaa$">
<colorPalette type="list">[#5b708f]</colorPalette>
</format>
...
<drilldown>
<condition match="$click.name2$ = $1_aaa$">
