try pie chart use the query ending with
| stats count by STATUS | eval STATUS=ID."-".ALERT."-".ALERT_RESOURCE."-".ACCOUNT."-".ACCOUNT_NAME."-".REGION."-".MESSAGE."-".SIGNATURE_DESC."-".SIGNATURE_RESOLUTION."-".STATUS."-".RISK_LEVEL."-".STARTED ENDED ARN
... View more
try this
| eval temp= mvfilter(match(myfield,"Error xyz")) | eval myfield=if(myfield==temp,"Error xyz",myfield)
if it won't work, please provide me more info
... View more