I have a timechart visualization using a by clause to display two different data sets. Think the number of successful logons and failed logons over time displayed on the same chart...
For example:
action=logon_failure OR action=logon_success | timechart count by action
I want the timechart to have drilldown capability that when someone clicks on a portion of the chart, a new panel displays the list of usernames that generate that value in the timechart.
I have no problems creating the "pop up" panel using the depends flag, and no problems setting tokens to grab the earliest and latest time values based on the user's click. But how do I capture which by clause attribute the user clicked? How do I pass the "logon_failure" or "logon_success" value so i can use it to filter the search results that drive the new panel?
Any guidance is appreciated. Thanks in advance.
~Wes
↧