Activeboards Fundamentals - Exercise 3.4 - Donut/Pie widget (II)

  • 1 February 2023
  • 3 replies
Activeboards Fundamentals - Exercise 3.4 - Donut/Pie widget (II)
Userlevel 2

Arcadia is truly concerned about trojans. One of their points of defense is a McAfee antivirus ecosystem that logs its data into the av.mcafee.epo.threat data table.

As usual, spend some time to get to know this source.

Trojans come in many sizes and shapes, so our objective is to check and plot different trojan activity.

  • Open the av.mcafee.epo.threat data table.
  • Go to the threatType field and get rid of everything but trojans. We want to focus just on trojans.
  • Hover over the the threatName field. You should see a relatively small number of distinct values. That is, we have plenty of trojan activity but only a handful of distinct types of trojans.
  • Now, what type of widget could be appropriate for plotting this kind of information? Donut and pie chart widgets excel at representing proportions over a finite set of possible values. 
  • But we are not ready to work with activeboards yet. It’s best practice to include aggregations in the query for widgets, and we have barely started the filtering phase.
  • Instead of getting the total trojan activity, we want to exclude the three biggest hosts, as those are maintained by other team. They are “ts-server01”, “ts-server01”, and “ts-server01” and are logged in the analyzerHostname field. You may use an OR filter for that.
  • We are ready for the grouping. Group by threatName every hour.
  • Lastly, perform a count aggregation.

The query for all that could look like this:

from av.mcafee.epo.threat

  where threatType = "trojan",

    analyzerHostname /= "ts-server01" or analyzerHostname /= "ts-server03" or analyzerHostname /= "ts-server02"

  group every 1h by threatName

  every 1h

  select count() as count


We are ready for the activeboard phase.

  • Add a donut/pie chart widget to your activeboard.
  • Set the time range to include the last week.
  • Enter the query and save the changes.


Still here?

Let’s do an extra step. Even though we took some measures to have a reduced number of values in order to have a chart that was easy to read, we might still need to go full screen or resize the chart.

Instead of that, open the properties of the widget, click on the visual tab, and locate the Limit slices setting. Set it to 10.

3 replies

Userlevel 3

Hi Alex,

I just started this exercise, and something caught my attention, not directly related to the exercise but I’d like to understand the fundamentals.

As I open the av.mcafee.epo.threat data table, the graphic that shows the incoming data appears like this:


If I zoom it a bit:

What does it mean? To me, it looks as if every 1/3 of a second there’s exactly one event -no more, no less, and always at this regular rate-, but I don’t know if I’m interpreting it right, or why this is happening.



Userlevel 3

Hi again Alex,

Applying an OR filter to filter out the analyzerHostname “ts-server01” “ts-server02” and “ts-server03” doesn’t work:


I managed to filter them out with an AND filter:












Userlevel 3

Just like @Minion said applying filter OR to analyzerHostName doesn’t work when working with not equal operation . So it’s better to update the query in the post so others don’t face this issue. Here’s the new query as follows:-


from av.mcafee.epo.threat

where threatType = "trojan",

analyzerHostname /= "ts-server01" and analyzerHostname /= "ts-server02" and analyzerHostname /= "ts-server03"

group every 1h by threatName

every 1h

select count() as count