Hi there! I’m trying to create an “area stacked” visualization that shows event.dataset over the last 90 days. Is there a way to group the endpoint.events.network, endpoint.events.process, and events.events.file logs into one item so when showing the top five log sources, it would be one line rather than three of the five?
You can see in the screenshot below, having endpoint.events.* be 60% of the log sources. rather than 20% leaves little room for other important log sources.
Thanks!
Hello @meatwad
Can we try to use below formula and add all the events if you are using count/unique count :
count(endpoint.events.network) + count(endpoint.events.process) + count(events.events.file)
As we can see below have added firstname + lastname post which we can remove individual fields and can keep only 1 summary field :
Thanks!!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
