I have a correlation search where 'dest' field is present, and in drilldown search I have mentioned
| search dest="$dest$"
however when i click on contributing events and the drill down search opens up with same query
| search dest="$dest$"
instead of the actual value of the 'dest' field, why doesn't this work?
Anyone faced this issue?
Have you assigned the clicked field dest to the token $dest$ in the drilldown section of the dashboard? Using the $dest$ in the subsequent search is using a TOKEN called dest, not a field called dest from a previous search.
<drilldown>
<set token="dest">$row.dest$</set>
</drilldown>
@bowesmana no, actually this is not a dashboard drill down, it's drill down search in notable events of a correlation search.
Try something like:
| search dest="$row.dest|n$"
No, this is not working, when i click on drill down this search appears
| search dest="$row.dest|n$"
not with the actual value.
I am struggling with the same thing, have you resolved this issue?
What have you tried?
So originally I tried to have this as the correlation search
index=o365 sourcetype="mscs:azure:eventhub" "body.operationName"="Risky user" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS Display_Name | rename body.properties.userPrincipalName AS Email
| stats values(body.operationName) AS Operation_Name, count AS result BY Display_Name | eval dd="index=o365 sourcetype=mscs:azure:eventhub body.operationName=\"User Risk Detection\" body.properties.riskLevel=high \"body.properties.userDisplayName\"=".Display_Name
The drill down was then search $dd$. The problem is that the value in Display_Name needs quote for the search to work and I cannot seem to get that to work properly for .Display_Name.
If I have a correlation search of
index=o365 sourcetype="mscs:azure:eventhub" "body.operationName"="Risky user" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS Display_Name | rename body.properties.userPrincipalName AS Email
| stats values(body.operationName) AS Operation_Name, count AS result BY Display_Name
And a drill down of
index=o365 sourcetype=mscs:azure:eventhub body.operationName="User Risk Detection" body.properties.riskLevel=high "body.properties.userDisplayName"=$Display_Name$
will that work?