Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "winevent" logs for user accounts (created, enabled, disabled, deleted, etc...)  Current search I have for my various Single Value panel using the stats command in my search is seen below. (for this example, I used the win event code 4720 to count of "User Account Created" on the network) and extracted the EventCode.

Acct Enable: index="wineventlog " EventCode=4720
| dedup user
| _rex=field _raw "(?m)EventCode=(?<eventcode>[\S]*)"
| stats count

Output gives me a Single Value Count for window event codes that = 4720 ignoring duplicate user records.   

I am now trying to capture the extracted "eventcode" using a drilldown in a token for each respective count panel.  I have setup the token as:

(Set $token_eventcode$ = $click.value$)

in my drill down editor in my second query table.  Using that token, I want to display the respective records in a second query panel to display the record(s) info in a table as seen below:   

Acct Enable: index="wineventlog " EventCode=$token_eventcode$

| table _time, user, src_user, EventCodeDescription

As I am still learning how to use the rex command, having problems in this instance in capturing the EventCode from the _raw logs, setting it to the ($token_eventcode$) token in the Single Value County query and passing that value down through a token to the table while maintaining the stats count value. 

Any assistance with be greatly appreciated.