Actually the source IP, dest IP, ports and such are all on the same row. The idea is to pick the a value in either field of the row and then get redirected to the proper view. Would the eval string still work? My search term looks like this:
threat_content_name="$threat$" | table _time, threat_content_name, source_address, source_country, source_port, destination_address, destination_country, destination_port, action, actionflags, application, category, eventcount, hostinbound_interface, ip_protocol, linecount, log_action, outbound_interface, repeat_count, rule, seqno, serial_no
... View more