https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746981#M58760 <P>Please try my updated query.</P> Tue, 27 May 2025 11:44:22 GMT richgalloway 2025-05-27T11:44:22Z https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746912#M58753 <P>Hello,&nbsp;</P><P>I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should take only latest log with status per test (e.g. I have Login test (id 151), it has couple events/logs with different statuses, and I would like to take for that test last log/event with latest status.&nbsp;</P><P>I have a problem to combine 'latest' and 'distinct_count' with timechart.&nbsp;</P><P>When I do following search, I get duplicates of logs for test (e.g. I should have every day count of 62 (tests) for all statuses):&nbsp;<BR /><BR /></P><LI-CODE lang="markup">basesearch | timechart span=1d distinct_count(test) as tests by status</LI-CODE><P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chrome_zQzO00MHWQ.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39145i3B444C0897B9602F/image-size/large?v=v2&amp;px=999" role="button" title="chrome_zQzO00MHWQ.png" alt="chrome_zQzO00MHWQ.png" /></span>e.g. on day 2025-05-26 test 'Login test (id 151)' have one event with status 'OK' and another one with status 'Blad', and the duplicate is shown here.<BR /><BR /><BR />When I want to combine 'latest' to timechart I get distinct_count results only for last day:<BR /><BR /></P><LI-CODE lang="markup">basesearch | stats latest(status) as statuses latest(test) as tests latest(_time) as myTime by test | eval _time=myTime | timechart span=1d distinct_count(tests) by statuses</LI-CODE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chrome_m3MOr3Gn1e.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39146i76B04FD36E243E96/image-size/large?v=v2&amp;px=999" role="button" title="chrome_m3MOr3Gn1e.png" alt="chrome_m3MOr3Gn1e.png" /></span></P><P>I appreciate help how to combine timechart, distinct_count and latest all together.</P><P>&nbsp;</P> Mon, 26 May 2025 11:15:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746912#M58753 jbllog 2025-05-26T11:15:43Z https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746923#M58755 <P>You almost had it.&nbsp; Use the <FONT face="courier new,courier">bin</FONT> and <FONT face="courier new,courier">stats</FONT> commands to group events by day and get the latest status.&nbsp; Then <FONT face="courier new,courier">timechart</FONT> will give the counts.</P><LI-CODE lang="markup">basesearch | bin span=1d _time | stats latest(status) as status by _time, test | timechart span=1d distinct_count(test) by status</LI-CODE><P>&nbsp;</P> Tue, 27 May 2025 11:44:01 GMT https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746923#M58755 richgalloway 2025-05-27T11:44:01Z https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746951#M58759 <P>Thank you for the response <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I tried your solution but still have results only for one day.&nbsp;<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chrome_iUgbbE3R24.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39152iE8E463EB5F019F1F/image-size/large?v=v2&amp;px=999" role="button" title="chrome_iUgbbE3R24.png" alt="chrome_iUgbbE3R24.png" /></span><BR />I wonder maybe this line may affect the unwanted one-day results:&nbsp;</P><PRE>status latest(test) as tests latest(_time) as _time</PRE><P>maybe I shouldn't use 'latest' agg function for 'test' and '_time'? But I don't know how to pass these values in a different way to 'timechart' function.<BR /><BR /></P> Tue, 27 May 2025 11:05:14 GMT https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746951#M58759 jbllog 2025-05-27T11:05:14Z https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746981#M58760 <P>Please try my updated query.</P> Tue, 27 May 2025 11:44:22 GMT https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746981#M58760 richgalloway 2025-05-27T11:44:22Z https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746982#M58761 <P>It works! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thank you for the solution :)!&nbsp;</P> Tue, 27 May 2025 12:33:21 GMT https://community.splunk.com/t5/Dashboards-Visualizations/timechart-distinct-count-combined-with-latest-function/m-p/746982#M58761 jbllog 2025-05-27T12:33:21Z