Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee SIEM - How to use the new Stacked Distribution Charts in views and reports in McAfee SIEM 9.4

No ratings



The McAfee SIEM version 9.4 now offers stack bar, line, and area charts in views and reports so you can see the distribution of events related to a specific field. Stacked charts are a great addition that allows you to visualize the contribution of individual items to the total and to compare them against each other.


In this document, you will take a first look at a stacked chart, using the powerful drill down and binding features of the McAfee SIEM console. You will then create your own view and add a stacked distribution chart component to it. Finally, you will create a report that includes a stacked chart. This is a useful document to review if you want to get familiar with stacked charts, and understand the basics of drill downs, binding and creating views and reports.





You can also watch the steps described in this document by viewing the video below.








1. First look at a Stacked Chart


Below, you can see a custom view to which we’ve added a stacked event distribution component.




Let’s expand this component so we can see it better. We’ll do that by clicking on the icon at the top right corner of the component. That component shows us at a glance that IRC and Instant Messaging events make up the majority of our events at any given time. That’s one of the benefits of stacked charts.  If you click on the edge of the chart, you’ll see a pop-up that gives you details about the section you are looking at. Here, we can see that the IRC instant messaging traffic made up exactly 48% of our events between noon and 2pm on June 17th for a total of 163,611 events.




Stacked charts benefits from all the cool drill down and binding features available in the McAfee SIEM console. Let’s see a quick example. Let’s drill down on the IP addresses. For that, click on the menu on the top left side of the event pane, and select Event Drilldown, Network, and Source IPs.




Now we can see the breakdown of the IP addresses that make up our chart.




We are curious about the drops in activity and we want to drill down on those times, to see what is going on when everything seems to be quiet. Select that time frame with holding the right click of the mouse.




All the elements of the view refresh and we are shown only the events for that time period and the IP address that are associated with those. This is thanks to the Data Binding feature of the McAfee SIEM, which can automatically filter the components of a view when you make a selection in one of them.


We can see that the events are mostly identical. There are just fewer of them.




2. Adding a Stacked Chart to a View


Now let’s see how to add stacked distribution component to your views and reports. Let’s start with adding it to a view. First, we’ll create a new custom view, so we do not temper the ones that we have already created.


In the top middle of the console, click on the "Create New View" icon.




The View Editing Toolbar comes up.


Then drag and drop the "Distribution" component. The query wizard opens.






You are asked to select the type of query. Stacking is available for distribution and total severity per period queries. Here we are going to Distribution.


Click next.


Then click Stacking.


This is where you define the criteria for what you want to stack and how you want to stack it.




Under "Field to group bar segments by," select the field you want to stack. In our case, we would like to stack by source IP address.



The "Number of bar segments per bar" lets you choose how many segments you want.  We’ll leave it at ten, which will stack our top 10 source IP addresses.


Click OK.


Click Finish.


Our new view with our stacked distribution chart appears.




Let’s save it by clicking Save As. You can chose under which folder to save our new view.  Here, we are going to save the chart as "Stacked Chart" under Executive Views. And if we want to use this view again, we’ll just navigate to Executive View, Stacked Chart.




Once your view is open, you have the ability to change the chart type very quickly, like for any other view component, by clicking on the "Chart Type" icon at the bottom right of the distribution component. Here we are going to change it to a stacked column chart.




You can also change your stacked chart properties on the fly by clicking on the "Chart Option" icon at the bottom left of your distribution component. You can change the stacking options, the number of segments, if you want to see how much other values contribute to the overall total, and if you want to see the legend. Under Time Interval Options, you can choose the time frame that each bar represents.


Finally, under Chart Options, you can choose the chart type. To close the chart options window, click on the "Chart Option" icon again.




3. Adding a Stacked Chart to a Report


Now that we have seen how to add a stacked chart to a view, let’s see how to add one to a report.

We can access the SIEM Reports from the Reports quick link at the top right of the console.




The report property window opens. Click Add at the top right corner to open the Add Report Menu.




In section 1, enter a Report Name, and a Description.


In Section 2, click the dropdown and select "Manual."




We’ll skip section 3.


In section 4, select a Report PDF format, uncheck the email option and check ‘File saved to the ESM.’ Specify a name under which you would like the report to be saved. You can keep the default.




Under section 5, Click Add. The report writer opens. Then Drag and drop the "Distribution" component.




Just like for views, select "Distribution." Click Next. The query wizard opens.


Click on Stacking, and you’ll notice that we have the same options as when we added a stack chart component to a view.




Under "Field to group bar segments by," select the field you want to stack. In our case, we would like to stack by source IP address.


The "Number of bar segments per bar" lets you choose how many segments you want. I’m going to leave it at ten, which will stack my top 10 source IP addresses.


Again, we are going to group by "Source IP," and use the default for the other options.




Click OK. We are back in the Query Wizard.


We now need to give a time range for our component. Click on the Filters button.


We are going to use "Current Day" as a the Time Range.




Now, we need to give our new layout a name, description, and other options such as orientation. Here we’ll just give it a name and keep all the defaults. Click Save and close the window.




You can see that our new layout has been added.




Click Save again to save the report itself. The new report has been added.




Click on Run Now to run it.




The selected reports are being generated dialog box opens. Click OK. After a couple of seconds, the report file will be ready for download.


Click the File button at the bottom of the window.






Click Download. The download dialog box opens.




Click Yes. Save the file and open it.






We’ve looked at the new stacked charts available in the McAfee SIEM 9.4. We've seen how they  help us discover what is going on even faster.  We’ve also seen how to add them to views and how to modify then on the fly, and finally, we've seen how to create a report that contains a stacked chart.

Useful Links


For more information about the McAfee SIEM, visit:


McAfee SIEM Product page:


McAfee SIEM Community:


McAfee Sales page

Labels (1)

I love the stacked chart option... I am trying to build one that shows the top 20 Data Sources by volume so we can see if/when one of these "major players" drops off or stops sending events entirely, such as maybe a firewall failover between cluster nodes.  I can make the bar graph using the event Overview query and have it sort by count sum descending and it will display the Device Name.  However, when I try to do an event distribution type graph from that, I'm unable to get it to stack on Device Name -- closest I can get is to do the stacking by Device Type.  Is this possible? I'm unable to find any query that uses Device Name except the Overview and Count queries (which are basically the same query just with different sort options, which really doesn't matter since I can override that on the next screen). It's frustrating not to be able to write or edit queries, or to be able to choose the fields for display in anything but the straight Events drilldown.

Version history
Revision #:
2 of 2
Last update:
‎03-15-2018 12:56 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community