We are using a clustered SH setup.
I have a dashboard that lists all triggered alerts. When a user clicks on one of the list items, I would like to use the sid as a token to use as argument for loadjob in another dashboard. The query is as simple as:
| loadjob <long-sid>
However currently when a row is clicked, the result is always "Search did not return any events. "
I have configurered the tokens correctly and permissions also do not seem to be the issue. If I click the "open in search" button at the bottom of the dash I get the results of "| loadjob <sid>" as expected"
Please share the source of the dashboard originating the drilldown. We don't need the whole thing - just the one panel with the drilldown should be enough.
Of course, sorry I didnt think about that beforehand
<row>
<panel>
<table>
<title>Latest events</title>
<search>
<query>| rest /servicesNS/-/-/alerts/fired_alerts/-
| search eai:acl.app = myapp severity = 3</query>
<earliest>$alerts_timepicker.earliest$</earliest>
<latest>$alerts_timepicker.latest$</latest>
<refresh>10m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="search_id">$row.sid$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Alert Details</title>
<search>
<query>| loadjob $search_id$ </query>
<earliest>$alerts_timepicker.earliest$</earliest>
<latest>$alerts_timepicker.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>