I've a splunk query that finds top errors in the log using regular expression. I then display it as a bar chart. the regex returns 10 values for error.
someSearchQuery
| rex "someTerm(?<error>)
| stats count by error
| sort - count
| head 10
I want to use the values returned by the query in a drilldown such that clicking on a barchart will display results for that value
The drilldown xml I used for setting token is this
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value">$click.value$</set>
</drilldown>
and then I use this token in the drilldown query as such
someSearchQuery
| rex "someTerm(?<error>)
| search error=$selected_value$
| timechart count by errorType span="1m"
| addcoltotals
| rename NULL as count
These error names are too technical and I want to change them to something general in the main panel and drilldown both.
for example, if regex returned error "ID not found", I want to replace it with "Data_error"
Also I want my title to change with the general name
<title>$selected_value$</title>
But the problem is when I change the name using eval, the drilldown query doesn't get the actual error name and search fails because there is no such error as "Data_error". The query needs "ID not found" to function.
Is there any way this can be achieved? Can I change the name of my searchTerm and at the same time use the old searchTerm in drilldown query as well?
