I have specified the following variables to extract from my Symantec DLP system and send them to Splunk.

Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Rules: $POLICY_RULES$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

The following are the search results using the “sourcetype=symantec:dlp:syslog”

Feb 21 09:39:11 192.168.1.5 Feb 21 09:40:23 ABCcompany Message = ID: 97712, Policy Violated: IT-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint Removable Storage Device, Recipient: N/A, Sender: N/A, Severity: 1:High, Subject: N/A, Target: N/A, Filename: Confidentail2.txt, Blocked: None, Endpoint: PC_David

Feb 21 09:43:48 192.168.1.5 Feb 21 09:46:23 ABCcompany Message = ID: 97713, Policy Violated: IT-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint Removable Storage Device, Recipient: N/A, Sender: N/A, Severity: 1:High, Subject: N/A, Target: N/A, Filename: Confidentail.txt, Blocked: None, Endpoint: PC_David

Feb 21 09:43:48 192.168.1.10 Feb 21 09:46:23 ABCcompany Message = ID: 97714, Policy Violated: HR-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint HTTPS, Recipient: Unknown, Sender: 192.168.2.122, Severity: 1:High, Subject: N/A, Target: N/A, Filename: N/A, Blocked: None, Endpoint: PC_Ryan

I would like to create a pie chart comparing number (better with percentage) of policies violated; which should be 2 IT-IDM-Policy (66%), and 1 HR-IDM-Policy (33%).
I have extracted a field named “Policy_Violated” by regular expression ^(?:[^:\n]*:){6}\s+(?P[^,]+). And the results are expected as follows:

Values Count %
IT-IDM-Policy 2 66.6
HR-IDM-Policy 1 33.3

But then what search keywords shall be used in order to generate statistic or visualization results which can be used afterwards to create a pie chart?