Hi,
First time poster here been lurking for too long and I just can't seem to understand where I am going wrong here...
I have created a cluster map that displays the frequency of observed comms with 'bad IPs' . I want to to run a search that will return any IPs that have communicated with the selected bad ip on click, however I'm having an issue unsetting the token for a drilldown, although I am not getting any errors in the XML. It is constantly set at the first value I ever clicked on.
Can anyone see any errors related to the unset in my XML?
Thanks for your help in advance.
<dashboard>
<label>Bad IPs</label>
<row>
<panel>
<title>Blacklisted IPs Observed</title>
<map>
<search>
<query>| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic GROUPBY All_Traffic.src_ip
| rename All_Traffic.src_ip as HostAddress
| lookup bad_ip.csv HostAddress OUTPUT HostAddress as ip
| search ip=*
| append
[| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic GROUPBY All_Traffic.dest_ip
| rename All_Traffic.dest_ip as HostAddress
| lookup bad_ip.csv HostAddress OUTPUT HostAddress as ip
| search ip=*]
| iplocation ip
| geostats globallimit=0 count by ip</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="mapping.type">marker</option>
<drilldown>
<set token="ip_token">$click.name$</set>
<link target="_blank">search?q=| datamodel Network_Traffic All_Traffic search| search All_Traffic.src_ip=$ip_token|s$ OR All_Traffic.dest_ip=$ip_token|s$
| table All_Traffic.src_ip ,All_Traffic.dest_ip
| rename All_Traffic.src_ip as Source, All_Traffic.dest_ip as dest_ip
| stats values(dest_ip) as "Destination" by Source&earliest=-24h@h&latest=now
<unset token="ip_token"></unset>
</drilldown>
</map>
</panel>
</dashboard>
... View more