Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a PIE chart for multiple subsearches?

vkumar6
Explorer
‎02-13-2018 04:05 AM

Hi

How can I create a PIE chart using multiple subsearches?

notable | search source="ENV: Windows Privilege Escalation" OR source="ENV:interactive login" OR source="Env:Concurrent Login Attempts Detected" | stats count as Win | appendcols [search notable | search source="ENV*virus" OR source=malware| stats count as AV] | appendcols [search notable | search source="env*intrusion" | stats count as Intrusion] | appendcols [search notable | search source="env*email" | stats count as Email] | appendcols [search notable | search source="env*vul" | stats count as Vuler]

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎02-13-2018 12:44 PM

Try this 

`notable` | search source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*"  | stats count | eval Type="Win" | append  [search `notable` | search source="*ENV*virus*" OR source=*malware*| stats count | eval Type="AV"] | append [search `notable` | search source="*env*intrusion*" | stats count | eval Type="Intrusion" ] | append [search `notable` | search source="*env*email*" | stats count | eval Type="Email" ] | append [search `notable` | search source="*env*vul*" | stats count | eval Type="Vuler"]

OR Better...

`notable` 
| search (source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ) OR (source="*ENV*virus*" OR source=*malware*) OR (source="*env*intrusion*") OR (source="*env*email*") OR (source="*env*vul*")
| eval Type=case((source="*ENV: Windows Privilege Escalation*" OR source="*ENV:interactive login*" OR source="*Env:Concurrent Login Attempts Detected*" ),"Win",(source="*ENV*virus*" OR source=*malware*),"AV", (source="*env*intrusion*"),"Intrusion", (source="*env*email*") ,"Email", (source="*env*vul*"),"Vulenr")
| stats count by Type
0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...