All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Timestamp correct. Timestamp received by Splunk matches what is recorded on the appliance.   All time (real-time) is the only search that allows me to see logs. Searching any other time does not wo... See more...
Timestamp correct. Timestamp received by Splunk matches what is recorded on the appliance.   All time (real-time) is the only search that allows me to see logs. Searching any other time does not work.  For example, look at pictures below.  Searching in previous 5 minutes shows no logs. I switch to All time (real-time) and all logs are being shown.    
This is a part of result. What I want, to get in one line only mobileNumber and countryCode, on other line lastName, firstName, not all log where this words are meet.  
...That's quite an out of date version that is way out of support.  Also, I'm not sure what your ru.js file is doing, since the typical localization process involves creating the po/mo files within t... See more...
...That's quite an out of date version that is way out of support.  Also, I'm not sure what your ru.js file is doing, since the typical localization process involves creating the po/mo files within the mrsparkle library localization folders. The localization stuff in Splunk is based on gettext.  For your version of Splunk these are the localization instructions here and here Have you tried editing the portable object files for your formatting?    
Not sure why but this gives error on line 19, unexpected close of query.
it's still happening - just not with $app_query|u$ showing as a string in the query.  see the xml & screenshot below:   <form version="1.1" theme="dark"> <label>Error Overview</label> <descript... See more...
it's still happening - just not with $app_query|u$ showing as a string in the query.  see the xml & screenshot below:   <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <eval token="app_query">case($click.value$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",$click.value$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",$click.value$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",$click.value$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",$click.value$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",$click.value$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",$click.value$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",$click.value$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",$click.value$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",$click.value$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",$click.value$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",$click.value$=="KmsService", "(SourceName=&quot;KmsService&quot;)",$click.value$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",$click.value$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",$click.value$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",$click.value$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",$click.value$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",$click.value$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",$click.value$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",$click.value$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",$click.value$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",$click.value$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",$click.value$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",$click.value$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",$click.value$=="TRON", "(SourceName=&quot;TRON&quot;)",$click.value$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",$click.value$=="MMU", "(SourceName=&quot;MMU&quot;)")</eval> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown> </chart> </panel> </row> </form>    
Hi @law175 , check if the timestamp is correct nad don't use for testing Real Time. Ciao. giuseppe
Please share a sample of the events you expect to be returned
UDP. Just UDP. I only did TCP for testing purposes. I only want to receive UDP.   I switched the time from (past 5 minutes) to All Time (real time) and logs are appearing. There is an issue with ho... See more...
UDP. Just UDP. I only did TCP for testing purposes. I only want to receive UDP.   I switched the time from (past 5 minutes) to All Time (real time) and logs are appearing. There is an issue with how Splunk is processing Time from these logs it seems.
yes, I tried like this, bus 0 events are returned
Do you mean this? index="source*" | where matching="mobileNumber,countryCode" | stats count
Hi @law175, let me understand: are you sending UDP9008 or TCP9008 or both? which ones you whould have? which ones are you receiving? Ciao. Giuseppe
Try using $app_query|u$ in the link to URL encode the token value
This query is giving this result  but, I want to count by 2 or more words. Thank You  
Thanks for the tip!  Non-streaming  type pushes like this are often a challenge, and this is one way to manage the coupling of something that likes to be working in the real-time space (Splunk) versu... See more...
Thanks for the tip!  Non-streaming  type pushes like this are often a challenge, and this is one way to manage the coupling of something that likes to be working in the real-time space (Splunk) versus  more of a batch space (the DB).
Looks like below https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-host-value-from-INDEXED-EXTRACTIONS-json/m-p/577392
Hi! Faced with a very specific problem. We use splunk enterprise 7.3.0. We have ru_RU written in the address bar instead of en-US. In the file /opt/splunk/etc/system/local/times.conf, we changed th... See more...
Hi! Faced with a very specific problem. We use splunk enterprise 7.3.0. We have ru_RU written in the address bar instead of en-US. In the file /opt/splunk/etc/system/local/times.conf, we changed the display language of the time input to Russian. When the Date & Time Range item is selected in the time input and the period is set in it by the Between button, the data is applied, but the input itself disappears from the dashboard. An error appears in the console: moment().splunkFormat() does not support the locale ru. If you use en_US instead of ru_RU in the address bar, the error does not occur, but it does not suit us. I tried adding the file ru.js to the locale folder, then splunk stops working. Please tell me how you can fix this error. Thanks!
no luck - still getting $app_query$ as a string in the query as before.  here's the updated dashboard xml: <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These ... See more...
no luck - still getting $app_query$ as a string in the query as before.  here's the updated dashboard xml: <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <eval token="app_query">case($click.value$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",$click.value$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",$click.value$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",$click.value$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",$click.value$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",$click.value$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",$click.value$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",$click.value$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",$click.value$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",$click.value$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",$click.value$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",$click.value$=="KmsService", "(SourceName=&quot;KmsService&quot;)",$click.value$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",$click.value$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",$click.value$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",$click.value$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",$click.value$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",$click.value$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",$click.value$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",$click.value$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",$click.value$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",$click.value$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",$click.value$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",$click.value$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",$click.value$=="TRON", "(SourceName=&quot;TRON&quot;)",$click.value$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",$click.value$=="MMU", "(SourceName=&quot;MMU&quot;)")</eval> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown> </chart> </panel> </row> </form>
@AL3Z Can you may be run btool to check the full configuration?
The case function in the token evaluation has to be all on one line.
<form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> ... See more...
<form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <eval token="app_query"> case( $click.value$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)", $click.value$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)", $click.value$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)", $click.value$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)", $click.value$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)", $click.value$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)", $click.value$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)", $click.value$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)", $click.value$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)", $click.value$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)", $click.value$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)", $click.value$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)", $click.value$=="KmsService", "(SourceName=&quot;KmsService&quot;)", $click.value$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)", $click.value$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)", $click.value$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)", $click.value$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)", $click.value$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)", $click.value$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)", $click.value$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)", $click.value$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)", $click.value$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)", $click.value$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)", $click.value$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)", $click.value$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)", $click.value$=="TRON", "(SourceName=&quot;TRON&quot;)", $click.value$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)", $click.value$=="MMU", "(SourceName=&quot;MMU&quot;)" ) </eval> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown> </chart> </panel> </row> </form>