index=timswindows sourcetype=ActiveDirectory
[search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-"
| dedup Account_Name
| stats values(Account_Name) as sAMAccountName]
| dedup distinguishedName
|fields sAMAccountName, distinguishedName, host
|chart count by distinguishedName
The field in question is "distinguishedName".
There about 4 possible keywords that could be in this field.
How do I filter them out in the chart?
It should work the way that you have it. What exactly is the problem? Post sample events and a mockup of your desired outcome when you followup.
The output I get using the original syntax generates a chart with data from the field "distinguishedName."
The problem is, it shows 34 events. Some are duplicate users but different categories.
Example of a events currently in this field:
distinguishedName="CN=JoeSmith,OU=2019,OU=Dinner,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=JoeSmith,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=snack,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
distinguishedName="CN=TheGrinch,OU=2019,OU=breakfast,OU=Cafeteria,DC=nnv,DC=doi,DC=net"
In the distinguishedName field there about 4 possible keywords assigned to each user.
I want to search the field for a keyword, then show 4 keyword categories: breakfast, lunch, snack, dinner in my pie chart.
I want my pie chart to show how many times a "dinner" event occurred. This way I wont see Joes name 20 times on the chart. He will show up as one event for dinner and twice under snack.
The chart will only show 4 keyword categories:
breakfast - 1
lunch - 0
snack - 2
dinner - 1
You need to add the transforming command i.e.
| stats count by distinguishedName.
Check the Statistics table after running the search to make sure that a single series generated. The table should have two columns.
DIstinguishedName and its values.
After this click on the visualization tab and click on Pie chart.