Hey All

I have this search, and I want two results on my visualization. I want to see both "Method" and "User". What is missing here

index=XXX sourcetype="XXX:XXX:message" data.logName="projects/*/logs/cloudaudit.googleapis.com%2Factivity" data.resource.labels.project_id IN (*) AND (
data.resource.type IN(*) (data.protoPayload.methodName IN ("*update*","*patch*","*insert*" ) AND data.protoPayload.authorizationInfo{}.permission IN ("*update*","*insert*"))
OR (data.resource.type IN(*) (data.protoPayload.methodName IN ("*create*", "*insert*") AND data.protoPayload.authorizationInfo{}.permission="*create*"))
OR (data.resource.labels.project_id IN (*) AND data.resource.type IN(*) data.protoPayload.methodName IN (*delete*)))
| eval name1='data.protoPayload.authorizationInfo{}.resourceAttributes.name'
| eval name2='data.protoPayload.authorizationInfo{}.resource'
| eval Name=if(name1="-", name2,name1)
|search Name!="-"
| rename data.protoPayload.methodName as Method, data.resource.type as "Resource Type", data.protoPayload.authorizationInfo{}.permission as Permission, data.timestamp as Time, data.protoPayload.authenticationInfo.principalEmail as User, data.protoPayload.requestMetadata.callerIp as "Caller IP"
| timechart count by Method