https://community.splunk.com/t5/Splunk-Search/stats-by-time-and-field-values-in-that-time-frame/m-p/312151#M160982 <P>Perhaps:</P> <PRE><CODE>&lt;base search&gt; | bin span=5min _time | stats values(app) AS Apps dc(app) AS count BY _time </CODE></PRE> <P>That's assuming you want the distinct set and count of apps during that time.</P> Thu, 25 May 2017 21:11:16 GMT micahkemp 2017-05-25T21:11:16Z https://community.splunk.com/t5/Splunk-Search/stats-by-time-and-field-values-in-that-time-frame/m-p/312150#M160981 <P>Expected stats result</P> <P>Time every 5mins | Apps |count<BR /> 1:00 |app1,app2,app3 |3<BR /> 1:05 |app1,app4 |2<BR /> 1:10 |app4 |1</P> Thu, 25 May 2017 20:59:21 GMT https://community.splunk.com/t5/Splunk-Search/stats-by-time-and-field-values-in-that-time-frame/m-p/312150#M160981 knarayana 2017-05-25T20:59:21Z https://community.splunk.com/t5/Splunk-Search/stats-by-time-and-field-values-in-that-time-frame/m-p/312151#M160982 <P>Perhaps:</P> <PRE><CODE>&lt;base search&gt; | bin span=5min _time | stats values(app) AS Apps dc(app) AS count BY _time </CODE></PRE> <P>That's assuming you want the distinct set and count of apps during that time.</P> Thu, 25 May 2017 21:11:16 GMT https://community.splunk.com/t5/Splunk-Search/stats-by-time-and-field-values-in-that-time-frame/m-p/312151#M160982 micahkemp 2017-05-25T21:11:16Z