so here's my problem, i have timecharts of failed authentications for the past hour. i drilldown off of that with a sideview Pulldown list to show either users or hosts at the selected time window. at this point i want to drilldown again.
here's the rub, i need this new drilldown to take the token of the first, and top value by the second option. let me give an example..
i have two options on the first drilldown, top host, or top user. my second drilldown will take the selected value (say userX) and _time add them to the search, then take the token from the first drilldown and assign a second token based on the value (ie token 1 = user, so eval s=if(token1="user", host, user)) and use the second token to TOP the search.
any help you all can give is greatly appreciated.
UPDATE:
maybe i should re-clarify, that part of the drill down is not the problem. its when im using the top values to sort by the opposite of what the selected pulldown was.
(index=windows_security EventCode="4625") OR (index=unix OR index=unix_secure eventtype="failed_login" host!=snmpprod*) $selectedSort2$="$click.value$" | eval sort = if("$selectedSort2$"="host", "Account_Name", "host") | top $sort$
but $sort$ doesnt work, but the eval function is working.. any thoughts?