i have a table listing 2 fields field1 and field2, its search is like index=main source=src.txt field1=* | table field1 field2
here the log format is almost similar to
timestamp field1 bla bla bla
and field2 i some duration calculated using eval command(this is the reason i need a drilldown option here )
and field1 will be like
i have extrated this 1,2,3 values in a field called Field1_number
how can include this Field1 value in the search(i need this to show the thread number apple drill down should be all the events under thread no 1 it can be ball bab etc)
The drilldown search i am using is like
/app/myapp/flashtimeline?q=source=$form.sources$ thread_no=* OR field1="$click.value$" | sort -_time
how can i substitute thread_no ?
shall i use a regex command
....| rex field=field1 (?\d)
but i am not able to append it to a search
...|search thread_no=threadno OR field1="$click.value$" |sort....
please correct my query
Thankss Leo it is working fine as you told. but if i don't want to display threadno i the table, how can i get that value in drilldown i tried appending
"table threadno field1 field2 | fields - threadno"
then in drilldown $row.threadno$ is not substituting the value