I'm just starting to experiment with some cool searches for my firewall events. I've created this customized search that will sort by src_ip and display other fields of interest in table form. I've used the time presets to create reports and dashboards for day, week, month and year.
index="main" sourcetype="syslog" | stats count by src_ip,src_port,dest_ip,dest_port,protocol,action | sort -count
I'm looking for help on creating some cool pie charts for top 10 events based on the aforementioned time frame's filtered by different criteria such as src_ip or action (pass/block).