Table SPL: | advhunt cred=all renew=True query="DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has 'file.exe'
| project DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName"
| spath input=_raw
| stats count by AccountName,DeviceName
| sort -count Source Code of Panel: {
"type": "splunk.table",
"options": {
"count": 100,
"dataOverlayMode": "none",
"drilldown": "none",
"showRowNumbers": false,
"showInternalFields": false
},
"dataSources": {
"primary": "ds_xxxxx"
},
"title": "File.exe (Last 30 Days)",
"eventHandlers": [
{
"type": "drilldown.linkToSearch",
"options": {
"query": "| inputlookup lookuptable where field1=$row.user.value$\n| table field1, field2",
"earliest": "auto",
"latest": "auto",
"type": "custom",
"newTab": true
}
}
],
"context": {},
"showProgressBar": false,
"showLastUpdated": false
} SPL for search on click: | inputlookup lookuptable where field1=$row.user.value$
| table field1, field2
... View more