I am working with Linux auditd events based on the auditd message and field dictionaries, that we call type and field. (You can access the github site for the .csv files that define message and fields.) For example, the macro name AUDIT_ADD_GROUP would be type=add_group and the macros name AUDIT_EXECVE would be type=execve. Now we have fields by type. SGID is the set group ID, so we could have fields called execve.sgid or add_group.sgid depending on the type value of the event. These are just 2 of more than 40 types we are tracking. Now each type will have its own set of applicable fields. For example, there would also be add_group.tty and add_group.proctitle. Is there a way to automatically lop off the prefix of a dot notation field on ingest? We need to standardize these fields to make them CIM compliant for our data model. The only alternative I see for now would be to use COALESCE to solve this problem. (e.g.: eval sgid = coalesce('group_add.sgid', 'execve.sgid')) Doing it this way would see COALESCE expressions with numerous paraeaters.

Hi, I am not sure if this is possible at all or not, but I figured best to ask the experts before I keep spinning in circles. I have created a classic dashboard, and would like to add the ability to toggle the visibility of the column chart data by having the user click on any of the desired legend label of the data series, and the columns belonging to that data visibility gets toggled Off or On.  So in the below example, the column chart is displaying 2 labels in the legend, "Used" and "Discount" at the start, and I would like to have the user toggle that view. I do not have access to the backend server and would like to do everything from the GUI. I would like the user to be able to click on the legend "Used" listed entry, and the column chart would remove the "Used" columns, and only display the "Discount" columns preferably expanded to the width of the column chart. I have seen it occur in one of the other column chart within the same dashboard, and  I have not added or modified anything to create that. The Drilldown option is set to None for this panel, and all other panels, yet by some magic the other panels sometimes behave to toggle Off/On the data being display by clicking on the legend labels. The section for this panel xml is below, and any help would be greatly appreciated: <panel> <chart id="chart1"> <title>Titte of the Dashboard</title> <search base="base_search"> <query>| search merchant IN ($merchant$) | chart sum(used) as Used sum(Discount) as Discount over _time by merchant | addcoltotals row=f col=t label="Totals" labelfield=merchant fieldname="Totals" Used Discount</query> </search> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> </chart> </panel>