Thanks, Manjunathmeti. ... View more

Thank you. ... View more

source=WinEventLog:Security EventCode IN (4728, 4732, 4746, 4751, 4756, 4761, 4729, 4733, 4747, 4752, 4757, 4762, 4786, 4788) earliest=-7d@d | eval changed_by=mvindex(Security_ID, 0) | eval member_id=mvindex(Security_ID, 1) | eval group_id=mvindex(Security_ID, 2) | rex "A member was (?<change_type>(added|removed))" | eval host_name=coalesce(src_nt_host, dvc_nt_host, host) | rename EventCode as event_code EventCodeDescription AS event_desc | table _time host_name changed_by change_type group_id member_id event_code event_desc ... View more

@itsmevic70  Yes, you could combine those 3 fields by concatenation and create a single field and combine them like that and use that newly created field. But, but, but. In my opinion, you should not do that. Because if you have 3 fields to group the data with a pie chart isn't the right option.  A pie chart by definition is a 1D chart. Depending on your definition you may need any 3D chart.   I hope this helps!!! ... View more