Did you manage to get this working or did you end up keeping the "manual" way? ... View more

Hi spike021 The SimpleXML element you are looking for is called drilldown. Full reference on this element can be found here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#Drilldown_elements There is also a section on the tokens available for tables here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#table_.28event_tokens.29 To do what you want to do, the SimpleXML would look something like this: <table> <searchString>index=_internal</searchString> <!-- Pass the clicked row's 'count'-column value --> <!-- to populate a destination form's 'foo' token. --> <drilldown> <link> /app/search/search?q=search index=_internal $row.field1$ | stats count </link> </drilldown> </table> field1 is the name of the field in the table and clicking it would open a new search with the value added to the custom search. If this answer is what you were looking for, please mark it as Answered. j ... View more

Ok then, try with this one, NOT "\"IMPORTANT\": {}," | rex mode=sed "s/...//g" | rex max_match=0 field=_raw "(?s)(?!\IMPORTANT\":\s{)\s{9,}\"(?.?)\":" | rex max_match=0 field=_raw "(?s)(?!\IMPORTANT\":\s{)\s{9,}.?(?::|:\s+)(?\d+)" | table timestamp KEYS VALUES Let me know if it works. EDIT: Improved. You have to scape quotation marks after the NOT operator, notice the doble quotes. This will filter events without "KEYS". ... View more