The Report Writer does not support binding in the same way that views do. So if you want a filter to be applied to every component, it needs to be part of the filter for each component. In you example above, you are not specifying any filter beyond looking for the overall event summary. I grabbed some screenshots replicating what I think you want but let me know if I am misunderstanding some of your question:
1. Here is the configuration screen for the first component. I sorted it so the lowest events are seen first:
2. Here is the configuration screen for the table component using the same query as above, just different format. I am proposing another option to this query in step 4.
3. Here is a screenshot from the report output example:
4. I believe you would like to add a field for time in the table. To choose different fields for the query, start with the query called "event". So steps 1 would be the same as above but step 2 (the table) would look like this. After you choose "event", the fields in the table can be changed. And you can also select what to sort on. To be consistent with the bar chart, I was sorting on count, then time but you can change this around. By default, this query groups on record ID but you can also add subgroups under the Table Properties > Format and Display Options if you don't like these results:
Hope this helps.
Thank you Kara for answer.
I did some tests and I discovered, that although your proposition looks good, there still is a small problem: look at your last picture - the bar chart and the table contain different data. Cause is simple - the "Event Count" variable is not the same to "SUM of [Event Count]", so we see different events in two parts of our report.
My colleague found a workaround: he used the manually created watchlists as filters, but it is not comfortable solution.
So the question is still open: how to show on the reports regular events belonging to the least numerous groups of events?
You can try changing the query for the bar chart to match that of the table. You can sort on event count and/or sum of event count. That might help get your results more inline. Let me know if that helps.
In my opinion you should achieve that using proper watchlist (for example created on"Signature ID") and 2-level sorting ("SUM of [Event Count]" and "Rule Message" in bar chart and "Event Count" and "Rule Message" in table). For both part you should also use the same filter options.
Please, check also the "export to PDF" functionality in dashboard/view pane.