I have anti-virus data and I want to plot the the types of alerts on a chart over time. I want to plot the data such that I can graphically see all virus related alerts compared to all AV alerts (to include the virus count).
Using my current query, I am getting two lines on my chart, **Virus** and **NULL**.
Does the 1=1 condition make all true? Or all that don't meet the previous cases? I need a count of all alerts to include the Virus.
**current query**
index=av alert=*
| eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,All)
| timechart count by alert_type span=1d
↧