Looks like drilldown works ok on single source searches. My situation is the search contains two sources joined together throgh different columns using eval and sub search as following:
source="sample1.csv"| eval joinid=if(isnotnull(key), key, "Incident") | join joinid [search source="sample2.csv"| eval joinid=if(isnotnull(Key), Key, "Jira")] | bucket _time span=1h | stats count as incidents, count(Key) as jiras, count(Issue_Links) as clonedjira by _time
Anyway can drill down from on this search?
... View more