Hi
How can I create a PIE chart using multiple subsearches?
notable
| search source="ENV: Windows Privilege Escalation" OR source="ENV:interactive login" OR source="Env:Concurrent Login Attempts Detected" | stats count as Win | appendcols [search notable
| search source="ENV*virus" OR source=malware| stats count as AV] | appendcols [search notable
| search source="env*intrusion" | stats count as Intrusion] | appendcols [search notable
| search source="env*email" | stats count as Email] | appendcols [search notable
| search source="env*vul" | stats count as Vuler]
Try this
`notable` | search source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" | stats count | eval Type="Win" | append [search `notable` | search source="*ENV*virus*" OR source=*malware*| stats count | eval Type="AV"] | append [search `notable` | search source="*env*intrusion*" | stats count | eval Type="Intrusion" ] | append [search `notable` | search source="*env*email*" | stats count | eval Type="Email" ] | append [search `notable` | search source="*env*vul*" | stats count | eval Type="Vuler"]
OR Better...
`notable`
| search (source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ) OR (source="*ENV*virus*" OR source=*malware*) OR (source="*env*intrusion*") OR (source="*env*email*") OR (source="*env*vul*")
| eval Type=case((source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ),"Win",(source="*ENV*virus*" OR source=*malware*),"AV", (source="*env*intrusion*"),"Intrusion", (source="*env*email*") ,"Email", (source="*env*vul*"),"Vulenr")
| stats count by Type