| rex field=field_id max_match=0 "/(?<key>[^/]+)/(?<value>[^/]+)" | eval row=mvrange(0,mvcount(key)) | streamstats count as _row | mvexpand row | eval name="field_".mvindex(key,row) | eval {name}=mvindex(value,row) | fields - key value name row | stats values(*) as * by _row

Thank you! The max = 0 flag is what i had missing indeed. The data i provided is the result of the search that is why it's epoch. The logs i am managing are not that big but i will keep that in mind for the future!   Have a nice day!

The difficulty is that click.name2 is the group by in the query, which is dynamically determined by the eval in the query (the AppName).  That AppName is for making the chart human readable, but the drill down need to "convert" the AppName back into the search terms used for the clicked on AppName.  e.g., the app named GVMSAuth is really the search terms (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), as far as seeing the event logs. Does that make sense?

Try something like this <drilldown> <eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval> <eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0D%0ANOT%20%22*ivss-test*%22%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0D%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0D%0ANOT%20(SourceName%3DLogging)%0D%0ANOT%20(SourceName%3DADFSAuth)%0D%0ANOT%20(SourceName%3DSchannel)%0D%0ANOT%20%22*PackageExtractor.exe*%22%0D%0ANOT%20%22*w3wp.exe*%22%0D%0ANOT%20%22*openssl.exe*%22%0D%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0D%0A%7C%20eval%20AppName%20%3D%20case(%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Mailer(*%22)%2C%20%22Mailer%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*SPackager(*%22)%2C%20%22SPackager%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Hancock(Ver%3A*%22)%2C%20%22Hancock%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*GVMSAuth(Ver%3A*%22)%2C%20%22GVMSAuth%22%2C%20%0D%0A(source%3D%22Cloud.SecurePnC%22)%2C%20%22Cloud_SecurePnC%22%2C%0D%0A(source%3D%22ivssspd%22)%2C%20%22SecurePackageDelivery%22%2C%0D%0A(sourcetype%3D%22WinEventLog%3ASystem%22%20AND%20EventCode%3D5074)%2C%20%22AppPool_Restarts%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureConnect%22)%2C%20%22Cloud_SecureConnect%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureMessage%22)%2C%20%22Cloud_SecureMessage%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22FPackager%22)%2C%20%22Cloud_FPackager%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureMessage.*%22))%2C%20%22SecureMessage%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureConnect.*%22))%2C%20%22SecureConnect%22%2C%0D%0A(SourceName%3D%22KmsService%22)%2C%20%22KmsService%22%2C%0D%0A(SourceName%3D%22AutoSigner%22)%2C%20%22AutoSigner%22%2C%0D%0A(SourceName%3D%22DebugToken%22)%2C%20%22DebugToken%22%2C%0D%0A(SourceName%3D%22FlashbackCache%22)%2C%20%22FlashbackCache%22%2C%0D%0A(SourceName%3D%22KeyBundler%22)%2C%20%22KeyBundler%22%2C%0D%0A(SourceName%3D%22SecureModuleCore%22)%2C%20%22SecureModuleCore%22%2C%0D%0A(SourceName%3D%22SecureOTACore%22)%2C%20%22SecureOTACore%22%2C%0D%0A(SourceName%3D%22SecurePaaK%22)%2C%20%22SecurePaaK%22%2C%0D%0A(SourceName%3D%22SecurePayloadCore%22)%2C%20%22SecurePayloadCore%22%2C%0D%0A(SourceName%3D%22SecurePnCCore%22)%2C%20%22SecurePnCCore%22%2C%0D%0A(SourceName%3D%22SecureRekey%22)%2C%20%22SecureRekey%22%2C%0D%0A(SourceName%3D%22SecureSigner%22)%2C%20%22SecureSigner%22%2C%0D%0A(SourceName%3D%22SupplierFeed%22)%2C%20%22SupplierFeed%22%2C%0D%0A(SourceName%3D%22TRON%22)%2C%20%22TRON%22%2C%0D%0A(SourceName%3D%22WSLAgent5%22)%2C%20%22WSLAgent5%22%2C%0D%0A(SourceName%3D%22MMU%22)%2C%20%22MMU%22%2C%0D%0A1%3D%3D1%2C%20%22Other%22)%0D%0A%7C%20where%20AppName%3D&quot;$click.name2$&quot;&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown>

great - I removed the "|u" from the token in the link, in case that might not escape the double quotes, but the search window went back to jsut showing the token name, not value.  I put the "|u" back, but the search window is now persisting showing the token name, not value.  it's almost like the splunk xml parser is behaving inconsistently.

I tried removing all my custom xml & use the drilldown ui to generate the evals.  then I went to the xml to add the link back in.  interestingly, the value for the token app_query is getting passed to the new search window, but it is url escaped, so the query returns no results.  

just tried, same result <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <eval token="app_query">case($click.name2$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",$click.name2$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",$click.name2$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",$click.name2$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",$click.name2$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",$click.name2$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",$click.name2$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",$click.name2$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",$click.name2$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",$click.name2$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",$click.name2$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",$click.name2$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",$click.name2$=="KmsService", "(SourceName=&quot;KmsService&quot;)",$click.name2$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",$click.name2$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",$click.name2$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",$click.name2$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",$click.name2$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",$click.name2$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",$click.name2$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",$click.name2$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",$click.name2$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",$click.name2$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",$click.name2$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",$click.name2$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",$click.name2$=="TRON", "(SourceName=&quot;TRON&quot;)",$click.name2$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",$click.name2$=="MMU", "(SourceName=&quot;MMU&quot;)")</eval> <eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval> <eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown> </chart> </panel> </row> </form>    

Hi @richgalloway , my final tranforms.conf and props.conf looks like this correct if format is not valid [key_value_pair] REGEX = (\w+)=(.*?)(?=\s\w+=|$) FORMAT = $1::$2 props.conf [mysourcetype] category = Custom description = Secret Server  EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\| #REPORT-key_value_pair = key_value_pair KV_MODE = auto SEDCMD-rm_cs2 = s/(cs2=.*?(cs|\s*$))/\2/ SEDCMD-rm_cs2Label = s/(cs2Label=.*?(cs|\s*$))/\2/ EVAL-group = if(match(cs2, "^Secret Server"), cs2, null()) EVAL-user = if(match(cs2, "^Secret Server"), null(), cs2) Thanks Thanks