 
					
				
		
I currently have a search that is appending two more searches to the original for a single line chart that will show the three searches each on a different line. I have looked through documentation and other answer posts, but have yet to find what I'm looking for. I need to be able to rename each line so I can define which is what. From what I have read, the AS command should be renaming, but I'm probably wrong. As a bonus question, is there a way I can define colors for each search that is being done?
index=* sourcetype=fortigate  dstcountry="Russian Federation" | timechart span=1hr as Russia by events  | append [search index=* sourcetype=fortigate dstcountry="Iran, Islamic Republic of"  |  timechart span=1hr as Iran by events ] | append [search sourcetype=fortigate dstcountry=China | timechart span=1hr as China by events  ]
 
					
				
		
I think what you are really looking for is the split by functionality. You should be able to do this using a single search (no subsearches or appends needed) and then do a timechart count by field. Also, if you need to change the value of the dstcountry field to something a little more user-friendly like you have then you can use a case command in eval.
So you'd want to do something like this:
sourcetype=fortigate (dstcountry="Russian Federation" OR  dstcountry="Iran, Islamic Republic of" OR dstcountry=China)
| eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry == "Iran, Islamic Republic of", "Iran", dstcountry == "China","China")
| timechart span=1h count by dstcountry
 
					
				
		
I think what you are really looking for is the split by functionality. You should be able to do this using a single search (no subsearches or appends needed) and then do a timechart count by field. Also, if you need to change the value of the dstcountry field to something a little more user-friendly like you have then you can use a case command in eval.
So you'd want to do something like this:
sourcetype=fortigate (dstcountry="Russian Federation" OR  dstcountry="Iran, Islamic Republic of" OR dstcountry=China)
| eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry == "Iran, Islamic Republic of", "Iran", dstcountry == "China","China")
| timechart span=1h count by dstcountry
 
					
				
		
I dident realize there was no need an append because they were all the same sourcetype. I understand what is going on but with the eval and case command with the two quotes that should be able to change the output name correct? I tried changing both fields when running the search and neither seemed to change it.
 
					
				
		
I'm not sure what you're saying. What do you mean by both fields. Are the values for dstcountry not changing correctly based on the case command?
 
					
				
		
Yes like you said in the answer the case command in eval should change the value of dstcountry to something more user friendly. So instead of Iran Islamic Republic of I would rather just shorten it to Iran. Currently its defaulting to the Iran Islamic Republic of
 
					
				
		
Might be an issue with unbalanced quotes or how the field value is showing up. Can you post the search you're using and the data?
 
					
				
		
sourcetype=fortigate (dstcountry="Russian Federation" OR dstcountry="Iran, Islamic Republic of" OR dstcountry=China OR dstcountry="Syrian Arab Republic" OR dstcountry="Saudi Arabia" ) | eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry== "Iran, Islamic Republic of", "Iran",dstcountry== "China","China", dstcountry== "Syrian Arab Republic","Syria", dstcountry== "Saudi Arabia","Saudi Arabia" ) | timechart span=1h count by dstcountry
 
					
				
		
Found the problem. I had a typo in my original post. The eval field is typed out "dstcounRTy" instead of dstcounTRy. This creates a second field with a similar looking name and leaves the original field unchanged.
 
					
				
		
Ahh ok. Totally see that. I made the change and its working as intended. Thank you again for the help!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Is events a field?
 
					
				
		
I dont believe so. I just always assumed either counting by event or events would go by the results or number of events returned
