so here's my problem, i have timecharts of failed authentications for the past hour. i drilldown off of that with a sideview Pulldown list to show either users or hosts at the selected time window. at this point i want to drilldown again.
here's the rub, i need this new drilldown to take the token of the first, and top value by the second option. let me give an example..
i have two options on the first drilldown, top host, or top user. my second drilldown will take the selected value (say userX) and _time add them to the search, then take the token from the first drilldown and assign a second token based on the value (ie token 1 = user, so eval s=if(token1="user", host, user)) and use the second token to TOP the search.
any help you all can give is greatly appreciated.
UPDATE:
maybe i should re-clarify, the search part of the drill down is not the problem. its when im using the top values function to sort by the opposite of what the selected pulldown was.
(index=windows_security EventCode="4625") OR (index=unix OR index=unix_secure eventtype="failed_login" host!=snmpprod*) $selectedSort2$="$click.value$" | eval sort = if("$selectedSort2$"="host", "Account_Name", "host") | top $sort$
but $sort$ doesnt work, but the eval function is working.. any thoughts?