@niketn Now I am getting the alertstatus. But I need to get the _time in the x axis also. I tried adding the below code, but not working. Could you please suggest the modifications required. Thanks in advance <dashboard> <label>Test_Security_PARC_Roles_Drilldown</label> <row> <panel> <chart> <search> <query>index="index1" sourcetype=table1 source=table1-DH1 | spath | rename message.JOBNAME as JOBNAME, message.JOBSPOOL{}.* as * | mvexpand LINE | search LINE="*Role*" | search LINE="*|*" | eval USERNAME=trim(mvindex(split(LINE,"|"),1)), DATE=mvindex(split(LINE,"|"),2), TIME=mvindex(split(LINE,"|"),3), PERFORMEDBY=mvindex(split(LINE,"|"),4), ACTION=mvindex(split(LINE,"|"),5), ROLE=trim(mvindex(split(LINE,"|"),6)), ROLENAME=trim(mvindex(split(LINE,"|"),7)) | dedup LINE | fields USERNAME DATE TIME PERFORMEDBY ACTION ROLE ROLENAME | table DATE USERNAME ROLE ACTION PERFORMEDBY ROLENAME | join USERNAME [search index="index1" sourcetype=*table2* message.SID = "DH1" | rename message.SID as SID, message.VALUE as table2_DATA | eval mvf1 = split(table2_DATA, ";") | eval USERNAME=trim(mvindex(mvf1,0)) | eval GROUP=mvindex(mvf1,1) | eval VALIDTO=mvindex(mvf1,2) | eval VALIDFROM=mvindex(mvf1,3) | eval LASTLOGONTIME=mvindex(mvf1,4) | eval CLIENT=mvindex(mvf1,5) | eval LASTLOGONDATE=mvindex(mvf1,6) | eval LOCKSTATUS=mvindex(mvf1,7) | eval LDATE=strftime(strptime(LASTLOGONDATE, "%Y%m%d"),"%d.%m.%Y")| eval LDATE2=strptime(LASTLOGONDATE, "%Y%m%d") | eval today=strftime(now(),"%d.%m.%Y") | eval lastMo = relative_time(now(),"-90d@d") | fields DATE USERNAME SID CLIENT GROUP VALIDTO LASTLOGONTIME LASTLOGONDATE LOCKSTATUS LDATE today 90days lastMo LDATE2 | dedup USERNAME | fields USERNAME GROUP ] | join type=outer [search index="index1" sourcetype=table3 source=table3-DH1 | rename message.SID as SID, message.VALUE as ROLE_DATA | eval mvf1 = split(ROLE_DATA, ";") | eval ROLE=trim(mvindex(mvf1,0)), MODIFIED=trim(mvindex(mvf1,1)) | fields ROLE MODIFIED ] |eval AlertStatus=if( MODIFIED = 'X', "RISK", "NO_RISK") | eval _time=strftime(strptime(DATE,"%d.%m.%Y"),"%Y-%m-%d %H:%M:%S")|chart count over _time by AlertStatus</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <drilldown> <set token="token1">$click.name2$</set> <set token="token2">$click.value$</set> </drilldown> </chart> </panel> </row> <row depends="$token1$,$token2$" > <panel> <table> <title>User Roles</title> <search> <query>index="index1" sourcetype=table1 source=table1-DH1 | spath | rename message.JOBNAME as JOBNAME, message.JOBSPOOL{}.* as * | mvexpand LINE | search LINE="*Role*" | search LINE="*|*" | eval USERNAME=trim(mvindex(split(LINE,"|"),1)), DATE=mvindex(split(LINE,"|"),2), TIME=mvindex(split(LINE,"|"),3), PERFORMEDBY=mvindex(split(LINE,"|"),4), ACTION=mvindex(split(LINE,"|"),5), ROLE=trim(mvindex(split(LINE,"|"),6)), ROLENAME=trim(mvindex(split(LINE,"|"),7)) | dedup LINE | fields USERNAME DATE TIME PERFORMEDBY ACTION ROLE ROLENAME | table DATE USERNAME ROLE ACTION PERFORMEDBY ROLENAME | join type=outer [search index="index1" sourcetype=table3 source=table3-DH1 | rename message.SID as SID, message.VALUE as ROLE_DATA | eval mvf1 = split(ROLE_DATA, ";") | eval ROLE=trim(mvindex(mvf1,0)), MODIFIED=trim(mvindex(mvf1,1)) | fields ROLE MODIFIED ] |eval AlertStatus=if( MODIFIED = 'X', "RISK", "NO_RISK") | eval date2=strftime(strptime(DATE,"%d.%m.%Y"),"%Y-%m-%d %H:%M:%S")| where AlertStatus="$token1$" AND date2="$token2$" </query> <earliest>0</earliest> <latest></latest> </search> </table> </panel> </row> </dashboard>
... View more