Splunk Search
Highlighted

Error in drilldown that returns blank page or no search

New Member

We have an existing Drill down that currently works. We are adding 2 new lines to the drilldown that filter out computers that have not logged into AD in the last 30 days. Once the 2 new lines are added the drill down starts returning blank pages, a search page with nothing in the search field and not data or just a generic error.

These are the two new lines, the error must be here:

| eval ad_logon1=strptime(ad_lastLogon,"%Y-%m-%d")
| where ad_logon1 > relative_time(now(),"-30d@d") OR isnull(ad_lastLogon)

Here is my current drill down, I have tried different codes for @ , % " > < but none of them seem to work:

   <drilldown>
          <link target="_blank">search?q=index=autocompliance $ac_division$ platform=Server $StillNeedToFixDNS$ earliest=$period.earliest$ latest=$period.latest$
                  NOT [search index=autocompliance sourcetype=autocompliance $division$ platform=Server fw=Yes $StillNeedToFixDNS$ earliest=$period.earliest$ latest=$period.latest$
                      | dedup hostname
                      | fields hostname
                      | union 
                        [| inputlookup exceptions 
                         | search $division$ ac_fw=1
                         | fields hostname]]
                  | dedup hostname
                  | eval ad_logon1=strptime(ad_lastLogon%2C%22%25Y-%25m-%25d%22)
                  | where ad_logon1 > relative_time(now()%2C%22-30d%40d%22) OR isnull(ad_lastLogon)
                  | table hostname</link>
        </drilldown>

Any Ideas and thanks!

0 Karma
Highlighted

Re: Error in drilldown that returns blank page or no search

SplunkTrust
SplunkTrust

@dpelletier@aicpcc.com ,
Tried copying your search to drilldown and it works. Easiest way is to edit drilldown from the panel , select "Link to search " , select custom and add your search there. In this way , you dont need to worry about XML escaping.

or try changing the where clause to

|where ad_logon1 &gt; relative_time(now(),"-30d@d") OR isnull(ad_lastLogon)| table hostname
0 Karma