I have the following query:
index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search ACT | eval DateTime=_time | convert timeformat="%x" ctime(DateTime) | bucket DateTime span=1d | rename "IDM Access" as "IDM_Access", "FACTS Database Access" as "FACTS_Database_Access" | table IDM_Access | chart var(Field="IDM_Access") as Fields count(eval(IDM_Access=="False")) as False count(eval(IDM_Access=="True")) as True | append [search index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search ACT | eval DateTime=_time | convert timeformat="%x" ctime(DateTime) | bucket DateTime span=1d | rename "IDM Access" as "IDM_Access", "FACTS Database Access" as "FACTS_Database_Access" | table FACTS_Database_Access | chart var(Field="FACTS_Database_Access") as Fields count(eval(FACTS_Database_Access=="False")) as False count(eval(FACTS_Database_Access=="True")) as True]
That generates the following bar chart:
How can I get the bar chart to display the name of the "Fields", such as IDM_Access and FACTS_Database_Access?
1 Solution
