topic How to create a PIE chart for multiple subsearches? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-create-a-PIE-chart-for-multiple-subsearches/m-p/374104#M109964 <P>Hi </P> <P>How can I create a PIE chart using multiple subsearches?</P> <P><CODE>notable</CODE> | search source="<EM>ENV: Windows Privilege Escalation</EM>" OR source="<EM>ENV:interactive login</EM>" OR source="<EM>Env:Concurrent Login Attempts Detected</EM>" | stats count as Win | appendcols [search <CODE>notable</CODE> | search source="<EM>ENV*virus</EM>" OR source=<EM>malware</EM>| stats count as AV] | appendcols [search <CODE>notable</CODE> | search source="<EM>env*intrusion</EM>" | stats count as Intrusion] | appendcols [search <CODE>notable</CODE> | search source="<EM>env*email</EM>" | stats count as Email] | appendcols [search <CODE>notable</CODE> | search source="<EM>env*vul</EM>" | stats count as Vuler] </P> Tue, 29 Sep 2020 18:03:02 GMT vkumar6 2020-09-29T18:03:02Z How to create a PIE chart for multiple subsearches? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-PIE-chart-for-multiple-subsearches/m-p/374104#M109964 <P>Hi </P> <P>How can I create a PIE chart using multiple subsearches?</P> <P><CODE>notable</CODE> | search source="<EM>ENV: Windows Privilege Escalation</EM>" OR source="<EM>ENV:interactive login</EM>" OR source="<EM>Env:Concurrent Login Attempts Detected</EM>" | stats count as Win | appendcols [search <CODE>notable</CODE> | search source="<EM>ENV*virus</EM>" OR source=<EM>malware</EM>| stats count as AV] | appendcols [search <CODE>notable</CODE> | search source="<EM>env*intrusion</EM>" | stats count as Intrusion] | appendcols [search <CODE>notable</CODE> | search source="<EM>env*email</EM>" | stats count as Email] | appendcols [search <CODE>notable</CODE> | search source="<EM>env*vul</EM>" | stats count as Vuler] </P> Tue, 29 Sep 2020 18:03:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-PIE-chart-for-multiple-subsearches/m-p/374104#M109964 vkumar6 2020-09-29T18:03:02Z Re: How to create a PIE chart for multiple subsearches? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-PIE-chart-for-multiple-subsearches/m-p/374105#M109965 <P>Try this </P> <PRE><CODE>`notable` | search source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" | stats count | eval Type="Win" | append [search `notable` | search source="*ENV*virus*" OR source=*malware*| stats count | eval Type="AV"] | append [search `notable` | search source="*env*intrusion*" | stats count | eval Type="Intrusion" ] | append [search `notable` | search source="*env*email*" | stats count | eval Type="Email" ] | append [search `notable` | search source="*env*vul*" | stats count | eval Type="Vuler"] </CODE></PRE> <P>OR Better...</P> <PRE><CODE>`notable` | search (source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ) OR (source="*ENV*virus*" OR source=*malware*) OR (source="*env*intrusion*") OR (source="*env*email*") OR (source="*env*vul*") | eval Type=case((source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ),"Win",(source="*ENV*virus*" OR source=*malware*),"AV", (source="*env*intrusion*"),"Intrusion", (source="*env*email*") ,"Email", (source="*env*vul*"),"Vulenr") | stats count by Type </CODE></PRE> Tue, 13 Feb 2018 20:44:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-PIE-chart-for-multiple-subsearches/m-p/374105#M109965 somesoni2 2018-02-13T20:44:29Z