How to create a PIE chart for multiple subsearches...

vkumar6 · ‎02-13-2018

Hi

How can I create a PIE chart using multiple subsearches?

somesoni2 · ‎02-13-2018

Try this

`notable` | search source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*"  | stats count | eval Type="Win" | append  [search `notable` | search source="*ENV*virus*" OR source=*malware*| stats count | eval Type="AV"] | append [search `notable` | search source="*env*intrusion*" | stats count | eval Type="Intrusion" ] | append [search `notable` | search source="*env*email*" | stats count | eval Type="Email" ] | append [search `notable` | search source="*env*vul*" | stats count | eval Type="Vuler"]

OR Better...

`notable` 
| search (source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ) OR (source="*ENV*virus*" OR source=*malware*) OR (source="*env*intrusion*") OR (source="*env*email*") OR (source="*env*vul*")
| eval Type=case((source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ),"Win",(source="*ENV*virus*" OR source=*malware*),"AV", (source="*env*intrusion*"),"Intrusion", (source="*env*email*") ,"Email", (source="*env*vul*"),"Vulenr")
| stats count by Type

How to create a PIE chart for multiple subsearches?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?