I have a timechart panel in a dashboard that has all the e-mails that were sent this month, whether that'd be an Alert or Report. I want to be able to click on any of those stacked values and on another tab, to bring me those results. I know using the loadjob command with the sid should help me with this, but I don't know how to use tokens for this. Here is the panel, can anybody help?
index=_internal source="D:\\Example\\Splunk\\var\\log\\splunk\\python.log" sourcetype=splunk_python TERM(email) | eval ReportNamingConvention=if(match(subject, "Name\sSIEM\sReport:\sFirewall"), 1, 0) | where ReportNamingConvention==1 | eval subject=substr(subject, 30) | timechart useother=false count as Count by subject | rename subject as "Email Subject"