I want to set up a Bar graph that displays more than just the count and 1 field (only when hovering over it). For example I use: search | stats count by Risk This shows me the risks I have for each event. I use this search to see results for High medium and low risks for servers with vulnerabilities. However if I use: search | stats count by Risk, Servers The bar graph looks really small and almost impossible to read since it's displaying all servers and risks. How do I set it up so it displays just the risks on the actual graph BUT also shows me the servers if I hover over my mouse to that specific bar? ... View more

So, I want to create a table where it shows the time, source IP, and URL. sourcetype=* src_ip=* url=* | table _time, src_ip, url The search runs fine however the URL comes back with a long string. Example= https://www.google.com/xxx_xxx?atyp=csi&ei=tWelWaipKMOJmQGb_Lr4Cg&s=newtab&action=update&ima=1&ime=0&mem=ujhs.10%2Ctjhs.10%2Cjhsl.2190&rt=aft.7%2Cxhr.191%2Cwsrt.326%2Ccst.0%2Cdnst.0%2Crqst.11%2Crspt.1%2Crqstt.146%2Crnt.130%2Ccstt.130%2Cdit.219&zx=1504023844621 Is there a way to trim the string from the URL to only show up to google.com/xxx_xxx? ... View more

I've created a dashboard that can help find users based of IP or Host. How do I add a searchbox to this dashboard so I can just enter either a username or IP and find their information? Thanks! My search: sourcetype=WinEventLog:Security user=* src_nt_host=* | table _time, src_ip user, src_nt_host, host Each time I try to add an input (text) to do a search for an ip or host it doesn't run the search, not sure if I entered the token correctly? Please advise! Thanks! ... View more

I'm trying to create a report where it shows the date and time; however, when it comes to time I just want it to display the hour and minutes, not the seconds. Is there a way to do that? ... View more