I have a search that looks like:
sourcetype="_sort" earliest=-30d
| dedup host
| where encrypt_c =2
| eval encrypt_c=if(encrypt_c != "2","False",encrypt_c)
| eval encrypt_c=if(encrypt_c = "2","True",encrypt_c)
| rename host as "Serial Number" encrypt_c as "Encryption Complete"
| table "Serial Number" "Encryption Complete"
What I really want now is a pie chart that would show the counts of where encrypt_c=2
and where encrypt_c!=2
in a pie chart
Try this:
sourcetype="_sort" earliest=-30d| dedup host | stats count(eval(encrypt_c =2)) AS encrypted count(eval(encrypt_c!=2)) AS unencrypted | transpose
Hi,
Test this: sourcetype="_sort" earliest=-30d| dedup host | where encrypt_c =2 |eval encrypt_c=if(encrypt_c != "2","False",encrypt_c) | eval encrypt_c=if(encrypt_c = "2","True",encrypt_c) | rename host as "Serial Number" encrypt_c as "Encryption Complete"| stats count by "Encryption Complete"
After do this, select pie chart visualization.You will see count of this differents values.
hi chadman
copy and test this xml code
<dashboard>
<label>enter a label</label>
<description/>
<row>
<panel >
<chart>
<title>enter a title</title>
<search>
<query>
sourcetype="_sort" earliest=-30d |where encrypt_c =2| dedup host |stats count as "num_encrypt=2" |appendcols[search sourcetype="_sort" earliest=-30d |where encrypt_c !=2| dedup host |stats count as "num_encrypt!=2" ]
| rename host as "Serial Number" encrypt_c as "Encryption Complete"|table "Serial Number" "Encryption Complete" "num_encrypt=2" "num_encrypt!=2"
</query>
</search>
<option name="charting.chart">pie</option>
</chart>
</panel>
</row>
</dashboard>
Try this:
sourcetype="_sort" earliest=-30d| dedup host | stats count(eval(encrypt_c =2)) AS encrypted count(eval(encrypt_c!=2)) AS unencrypted | transpose
perfect! That worked great.