https://community.splunk.com/t5/Splunk-Search/Count-New-IPs-Accessed-Over-Time/m-p/555829#M157817 <LI-CODE lang="markup">sourcetype=report_900 earliest=1 latest=now | bin _time span=1d | stats values(IPv4Address) as IPv4Address by _time | streamstats dc(IPv4Address) as countip | streamstats window=1 current=f values(countip) as previouscount | fillnull value=0 previouscount | eval change=countip-previouscount</LI-CODE> Tue, 15 Jun 2021 16:41:13 GMT ITWhisperer 2021-06-15T16:41:13Z https://community.splunk.com/t5/Splunk-Search/Count-New-IPs-Accessed-Over-Time/m-p/555816#M157810 <P>We have a daily report that generates an event each time an IP is accessed each day.&nbsp; In order to determine the number of new IPs accessed today that have never been accessed before we use the following query:</P><LI-CODE lang="markup">sourcetype=report_900 earliest=-1d@d latest=now NOT [search sourcetype=report_900 earliest=1 latest=-1d@d | stats count by IPv4Address | table IPv4Address] | stats count by IPv4Address | table IPv4Address | stats count</LI-CODE><P>What we would like to have is a query that produces a timechart of the the number of new IPs accessed each day.</P><P>If the data shows the following IP access for the day&nbsp; (each letter represents a different IP)</P><P>2021/01/01 IPs:&nbsp; A,B,C,A,A</P><P>2021/01/02 IPs: B,D,E,B,E</P><P>2021/01/03 IPs: A,D,E,A,A</P><P>2021/01/04 IPs: B,C,F,C</P><P>We would get the following results:</P><P>2021/01/01&nbsp;&nbsp;&nbsp;&nbsp; 3</P><P>2021/01/02&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>2021/01/03&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>2021/01/04&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P>Any suggestions on how this can be accomplished?</P><P>Also, any suggestions on improving the performance of our original query?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 15 Jun 2021 15:37:49 GMT https://community.splunk.com/t5/Splunk-Search/Count-New-IPs-Accessed-Over-Time/m-p/555816#M157810 ky129q 2021-06-15T15:37:49Z https://community.splunk.com/t5/Splunk-Search/Count-New-IPs-Accessed-Over-Time/m-p/555829#M157817 <LI-CODE lang="markup">sourcetype=report_900 earliest=1 latest=now | bin _time span=1d | stats values(IPv4Address) as IPv4Address by _time | streamstats dc(IPv4Address) as countip | streamstats window=1 current=f values(countip) as previouscount | fillnull value=0 previouscount | eval change=countip-previouscount</LI-CODE> Tue, 15 Jun 2021 16:41:13 GMT https://community.splunk.com/t5/Splunk-Search/Count-New-IPs-Accessed-Over-Time/m-p/555829#M157817 ITWhisperer 2021-06-15T16:41:13Z https://community.splunk.com/t5/Splunk-Search/Count-New-IPs-Accessed-Over-Time/m-p/556507#M158048 <P>Exactly what I wanted.&nbsp; Thanks</P> Mon, 21 Jun 2021 10:58:29 GMT https://community.splunk.com/t5/Splunk-Search/Count-New-IPs-Accessed-Over-Time/m-p/556507#M158048 ky129q 2021-06-21T10:58:29Z