Thank you for the insight! I made this modification on my dashboard. However, the drilldown is still not accurately setting the token.  ... View more

Hi, I apologize for the confusion -- I updated the code to be complete. Thank you! ... View more

Hello! Here it is:   <form version="1.1" theme="dark"> <label>Hayabusa Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global_time" searchWhenChanged="true"> <label>Global Time Range</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <prefix>index=case_</prefix> <suffix>*</suffix> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=case_* by index | rex field=index "\_(?&lt;case&gt;.*?)\_" | dedup case | table case</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="multiselect" token="host_token" searchWhenChanged="true"> <label>Host</label> <choice value="*">All Hosts</choice> <fieldForLabel>Host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by host | table host</query> <earliest>0</earliest> <latest></latest> </search> <initialValue>*</initialValue> <delimiter>, </delimiter> <prefix>host IN (</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <default>*</default> </input> </fieldset> <row> <panel> <table> <title>Top Informational Alerts</title> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa $host_token$ Level=info by RuleTitle | sort -count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="drilldown">cell</option> <format type="color" field="count"> <colorPalette type="list">[#65778A,#65778A,#65778A,#65778A,#65778A]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> <drilldown> <set token="form.rule_token">$click.value$</set> </drilldown> </table> </panel> <panel> <table> <title>Top Hosts By Hits</title> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by host | sort -count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="drilldown">cell</option> <format type="color" field="count"> <colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <drilldown> <set token="form.host_token">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Hayabusa Hits Overview</title> <input type="multiselect" token="level_token" searchWhenChanged="true"> <label>Level</label> <choice value="*">All Levels</choice> <choice value="info">Info</choice> <choice value="low">Low</choice> <choice value="med">Medium</choice> <choice value="high">High</choice> <choice value="crit">Critical</choice> <default>*</default> <initialValue>*</initialValue> <prefix>Level IN (</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> </input> <input type="multiselect" token="rule_token" searchWhenChanged="true"> <label>Rule</label> <choice value="*">All Rules</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>RuleTitle</fieldForLabel> <fieldForValue>RuleTitle</fieldForValue> <search> <query>| tstats count where $case_token$ $host_token$ sourcetype=hayabusa $level_token$ by RuleTitle | table RuleTitle</query> <earliest>0</earliest> <latest></latest> </search> <prefix>RuleTitle IN (</prefix> <suffix>)</suffix> <delimiter>,</delimiter> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="text" token="search_token" searchWhenChanged="true"> <label>Search</label> <default>*</default> <initialValue>*</initialValue> </input> <input type="text" token="exclude_token" searchWhenChanged="true"> <label>Search (to Exclude)</label> <default>Default Value to Exclude</default> <initialValue>Default Value to Exclude</initialValue> </input> <input type="multiselect" token="channel_token" searchWhenChanged="true"> <label>Channel</label> <fieldForLabel>Channel</fieldForLabel> <fieldForValue>Channel</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by Channel</query> <earliest>0</earliest> <latest></latest> </search> <delimiter> </delimiter> <choice value="*">All Channels</choice> <default>*</default> <initialValue>*</initialValue> </input> <html> <p>For <strong>Search</strong> and <strong>Search to Exclude</strong>, delimit with a comma. For example: <strong>term,search phrase</strong> </p> </html> <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <set token="form.channel_token">$click.value$</set> </drilldown> </event> </panel> </row> </form>   ... View more

Yes! Here it is: <input type="multiselect" token="channel_token" searchWhenChanged="true"> <label>Channel</label> <fieldForLabel>Channel</fieldForLabel> <fieldForValue>Channel</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by Channel</query> <earliest>0</earliest> <latest></latest> </search> <delimiter> </delimiter> <choice value="*">All Channels</choice> <default>*</default> <initialValue>*</initialValue> </input> ... View more

This is what I currently have: <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <set token="form.channel_token">$click.value$</set> </drilldown> </event> This does not change the title from $channel_token$ to an actual value. When you say update, is that different from the "set token" feature? ... View more

I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the event pane. ... View more

I am using Splunk version 9.4.0. I got rid of the list and raw drilldown options and made sure only table.drilldown was present and set to all. It's still not working. ... View more

It is not solved, thank you for asking! 1. Can you please alert me to what is harmlessly redundant? 2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set Channel to row.Channel), but it doesn't work.  ... View more

Hello, and thank you for your help! Here is my what my dashboard looks like now: <event> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event> Here is what the corresponding search looks like: index=test-index sourcetype=hayabusa host=* Level=* RuleType=* | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details   ... View more

Thank you! I changed from the table command to the fields command.  When I tried to use a drilldown again (set host_token = $row.host$), it still didn't work...any ideas? ... View more

Hi! Thank you for your response. When I take out the table command, only the _time, host, Level, and RuleTitle fields show up. The fields I have included in <fields></fields> don't all show up. ... View more

Hi! Yes, here is the complete search: $case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | table Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details, * Channel is added as a field in the table command, as well as specified in the code: <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTItle, Details</fields> ... View more

Yes! The token are made like this.  Here are some examples. These tokens are working correctly.   <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=string* by index | table index </query> </search> </input> <input type="multiselect" token="host_token" searchWhenChanged="true"> <label>Host</label> <fieldForLabel>Host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ by host |table host</query> </search> </input> What isn't working is the creation of the $channel_token$ made with the drilldown. I think it might be because I'm using an event pane and not a table pane. ... View more

Hi! Thank you for the resources! I have been reviewing them, as well as doing other search. I still am unsure, so any specific help you can offer is appreciated. ... View more

Perfect, that worked for the URL and setting the tokens. However, the search on the second dashboard (operating system), still says "Search is waiting for input..." ... View more

I did this, but it still doesn't work. When I click on the link, this is the URL that flashes: /apps/apps/operating_system_artifacts?form.case_token=index=index_burns*&form.host_name=$host_name$ Then, immediately after, it changes to: /apps/apps/operating_system_artifacts?form.case_token=index&form.host_name=%24host_name%24 Do you think the issue could be how the multi-select token works? ... View more

It brings me to the next dashboard, but the tokens aren't set. ... View more

Here is the initial dashboard: <form version="1.1" theme="dark"> <label>Case Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <prefix>index=virtuoso_</prefix> <suffix>*</suffix> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=index_* by index | rex field=index "\_(?&lt;case&gt;.*?)\_" | dedup case | table case</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="time" token="global_time"> <label>Global Time Range</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="dropdown" token="host_token" searchWhenChanged="true"> <label>Host</label> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ by host | table host</query> <earliest>0</earliest> <latest></latest> </search> </input> </fieldset> <row> <panel> <html><div> <a target="_blank" href="/app/app/operating_system_artifacts?case_token=$case_token$&amp;host_name=$host_name$">&lt;h1&gt;Operating System Artifacts&lt;/h1&gt;</a> </div></html> </panel> </row> </form> Here is the connecting dashboard: <dashboard version="1.1" theme="dark"> <label>Operating System Artifacts</label> <row> <panel> <html encoded="1">&lt;h1&gt;Prefetch&lt;/h1&gt;</html> </panel> </row> <row> <panel> <table> <title>Prefetch Files</title> <search> <query>$case_token$ host=$host_token$ | table ApplicationPath, LastRun, TimesRan</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="ApplicationPath"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </dashboard> ... View more

I made a typo in my post, so here is the actual version. Thank you in advance for your help! <row> <panel> <html><div> <a target="_blank" href="/app/app/operating_system?form.case_token=$case_token$&amp;form.host_name=$host_name$">Operating System Artifacts</a> </div></html> </panel> </row> ... View more

Hi, I'd like to keep it an event and not a table. ... View more

I'm using a Classic Dashboard. This is my XML: <event> <search> <query>index=index | fields - _time | table ApplicationName, ApplicationPath, LastRun</query> </search> <fields>ApplicationName, ApplicationPath, LastRun</fields> <option name="type">table</option> </event> ... View more

Hi, This removes the values of _time, but not the column header for me. Any ideas? ... View more

Thank you! That works! Now, is there a way to select multiple of the values in the table and have multiple values set with the token? So, for example, if the Rules in the Critical Table are "Defender Alert" and "Antivirus Hacktool Detected", and I click on both of them, is there a way to have these both assigned to the token rule_token and appear in the multiselect? Please let me know if that makes sense! ... View more