JSESSIONID 

10002lBNXPR_Jbi4oCjxehcclRZ:1dmii9ro4

100034eQfpxxxHlMxC9DQnU3jJh:1dfvt9oj5

...... 700 count

Severity = Error or Critical

Below is the sample event:

unit_hostname="GBWDC142AD011NHA.systems.uk.fed" support_id="5949818439961942897" vs_name="/f5-tenant-01/DARWIN-GBM-UK-UAT/v-darwin-uat.systems.uk.fed-44" policy_name="/Common/waf-fed-transparent" dest_ip="10.146.97.3" dest_port="443" violations="HTTP protocol compliance failed" sub_violations="HTTP protocol compliance failed:Body in GET or HEAD requests" violation_rating="3" attack_type="HTTP Parser Attack" severity="Error" ####### HTTP REQUEST BEGIN ####### "GET /ICMClient/icm/action/actions.json HTTP/1.1 Host: rwin-uat.systems.uk.fed Connection: keep-alive sec-ch-ua-platform: ""Windows"" X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0 sec-ch-ua: ""Microsoft Edge"";v=""131"", ""Chromium"";v=""131"", ""Not_A Brand"";v=""24"" DNT: 1 Content-Type: application/x-www-form-urlencoded sec-ch-ua-mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://darwin-uat.systems.uk.fed/navigator/?desktop=icmUat&feature=Cases&tos=UKUAT_CMTOS2&solution=DWN Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: adUsername=DNc5oBu9KkG0Z9WbdY0YMA; AMToken=W8s9fXK-BZFJwOfUKvHnc1QOiwE.*AAJTSQACMDIAAlNLABxzTGUweUUvUzRRRjZFdDl3Nk8rTlBxbkM4K2s9AAR0eXBlAANDVFMAAlMxAAIwMQ..*; amlbcookie=01; LtpaToken2=tv+zAqV7lpFPFUr8gCWRTnBa+2n6YAaVE4EmZFMyoUQ3KRFFXKYEweRr0q4QwD5aZEb/x9SlmFrQghiQ7ouuQbCJ3wUJ7MTBQvc8O85Q9NQ5IzaJdXNfbSiVsTTJqsww0qprVDSERq+mlE28ZRDuxECH7oD/QpIZoAH5Blk0gNRIfPFOa0e11Ld9CHxwJDtNt3OyqcH0qrKW3b+ieB4mWh+u65GCOyy7EdWhRW6Cryybq/8R7Z6axHE5Gk/8q3PDBxrw/iTvZdB5UXY32wGB8DfYGR4/wc2MsbW5J4MGK8MnYJya/cLzvUJE5clEEmf3P2ef3n0m1lPXC4HartFMo7f/HA2fN0YM78kNLHx78z6EkBnOWI6kUq+EeC+Uz0RsfwoCipLRqdCrhgEofL1wQve9tIHuOrF9sRG62lfmLl67vrYBJDAaDvRE1yC+xLUQfcTfc0bHDxYE2Q9op/DWY6IBOpeZRi4Hmw2nd9R7HzpDB1Jy3HAJPdhEp2bATfPsD2lKYTOCpCcJKGZ3/XEMreEwm970Tz04UZSZ/8MQ86Au+7yVB0WXF+ypFYhXWCWznQfjbdWfKL5u1gxake41N0GdM95XLqydb2JxGQr/V00yqAgu6yh5BNMhhf33rx/I9RxO4jwj/2M3tGjrD0+v5tgVkHVhBA3w7grur118FnAJ7s57A3lDtPjLFjs2w4gZ; JSESSIONID=0000k4OMOHFe-x8tp-F0TmQxoBN:1dmii9ro4; TS01492bb9=0111266d7745aebde115d8e1c57860aa8fb4d2d0645896fc5a6ed9865e53e7eed30bd3d6f3092e028ebe7f89753f63d3e54b8d8646 " ####### HTTP REQUEST END ####### ####### HTTP RESPONSE BEGIN ####### "Response logging disabled" ####### HTTP RESPONSE END ####### response_is_truncated="" ip_client="10.227.31.83" x_forwarded_for_header_value="N/A" method="GET" uri="/ICMClient/icm/action/actions.json" microservice="N/A" query_string="N/A" response_code="200" sig_cves="N/A" sig_ids="N/A" sig_names={N/A} sig_set_names="N/A" staged_sig_cves="N/A" staged_sig_ids="N/A" staged_sig_names="N/A" staged_sig_set_names="N/A" violation_details="<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <violation_masks> <block>0-0-0-0</block> <alarm>2400500004500-106200000003e-0-0</alarm> <learn>0-0-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations> <violation> <viol_index>14</viol_index> <viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>64</http_sanity_checks_status> <http_sub_violation_status>64</http_sub_violation_status> <http_sub_violation>Q29udGVudC1UeXBlIGhlYWRlciBpbiBHRVQgcmVxdWVzdA==</http_sub_violation> </violation> </request-violations> </BAD_MSG>"

Try something like this (assuming JSESSIONID and severity are already extracted)

| timechart dc(JSESSIONID) by severity

I am expecting for a JSESSIONID(s) how many critical and error logs are there and to represent them in visualized manner..

Not in this way. I ran the query you given.

_time Critical Error

ok what else fields I can visualize can you please let me know based on the event I have given.

@Karthikeya 

Based on your logs you can fetch data like 
1. For time chart - This shows how violations are trending over time, with separate lines for successes and failures.
| eval violation_type=if(like(violations, "%failed%"), "Failure", "Success")
| timechart span=1h count by violation_type

2. Bar chart - This shows the top 10 attack types by frequency.
| stats count by attack_type
| sort - count
| head 10

3. Pie or bar chart -
This helps you visualize how often each HTTP response code (e.g., 200, 404, 500) is returned.
| stats count by response_code

4. Bar chart - This shows the most frequently accessed URIs, which could help you understand which endpoints are under attack.
| stats count by uri
| sort - count
| head 10

Hope this works 🙂

This is your data - you should understand what you are working with or find someone in your organisation who does!