https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312112#M93493 <P>I tried it on my data, but this is what I get.</P> <P>For the last 3 month. if I use time chart, my value of Jan and Dec are the same, however the Nov are less.</P> <P>And I think the sequence are not correct. The earlier month should be the super set of all.. and the subsequent months are incremental of the earlier months.</P> Mon, 26 Feb 2018 05:47:53 GMT quahfamili 2018-02-26T05:47:53Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312110#M93491 <P>Hi, </P> <P>I had been wanting to change events that are unique over month but to no avail. I will give an illustration below:</P> <P>''month'' ''event''<BR /> ''1'' ''a''<BR /> ''1'' ''b''<BR /> ''1'' ''c''<BR /> ''2'' ''a''<BR /> ''2'' ''c''<BR /> ''2'' ''z''<BR /> ''2'' ''d''<BR /> ''2'' ''z''<BR /> ''3'' ''a''<BR /> ''3'' ''z''<BR /> ''3'' ''b''<BR /> ''3'' ''g''<BR /> ''3'' ''h''<BR /> ''3'' ''u''<BR /> ''3'' ''z''<BR /> ''3'' ''b''</P> <P>assuming the index=someIndex</P> <P>index=somIndex | timechart dc(event) as ''Unique new count'' by month </P> <P>give you:</P> <P>''month'' ''Unique new count''<BR /> ''1'' ''3''<BR /> ''2'' ''4''<BR /> ''3'' ''6'' </P> <P>The result I want would be:</P> <P>''month'' ''Unique new count''<BR /> ''1'' ''3''<BR /> ''2'' ''2''<BR /> ''3'' ''3''</P> <P>Any one can help?</P> Mon, 26 Feb 2018 03:28:08 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312110#M93491 quahfamili 2018-02-26T03:28:08Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312111#M93492 <P>For example, you can count on this search sentence.<BR /> However, the month needs a year and month.</P> <P>(your search)<BR /> |table month event<BR /> |stats min(month) as month by event<BR /> |stats count as "Unique new count" by month</P> Mon, 26 Feb 2018 04:41:37 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312111#M93492 HiroshiSatoh 2018-02-26T04:41:37Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312112#M93493 <P>I tried it on my data, but this is what I get.</P> <P>For the last 3 month. if I use time chart, my value of Jan and Dec are the same, however the Nov are less.</P> <P>And I think the sequence are not correct. The earlier month should be the super set of all.. and the subsequent months are incremental of the earlier months.</P> Mon, 26 Feb 2018 05:47:53 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312112#M93493 quahfamili 2018-02-26T05:47:53Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312113#M93494 <P>I thought that counting the months when the event first appeared could get unique events every month.</P> <P>Is it different from yours?</P> Mon, 26 Feb 2018 06:06:22 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312113#M93494 HiroshiSatoh 2018-02-26T06:06:22Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312114#M93495 <P>I think I put it wrongly in my question. I looking for a more incremental kinda of counting.</P> <P>For example: 1st month I have 10 unique events, 2nd month I have 2 new unique events that did not happened in the 1st month, 3rd month I have 5 new unique events that had not happened in 1st and 2nd month combine, and 4th month I have 7 new unique events that had not happened in 1st to 3rd month. </P> <P>The plot will be like: </P> <P>1st - 10<BR /> 2nd - 2<BR /> 3rd -5<BR /> 4th - 7 </P> Mon, 26 Feb 2018 06:21:50 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312114#M93495 quahfamili 2018-02-26T06:21:50Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312115#M93496 <P>Edit: Another example to clarify the question:</P> <P>1st month I have 10 unique events<BR /> 2nd month I have 2 new unique events that did not happened in the 1st month <BR /> 3rd month I have 5 new unique events that had not happened in 1st and 2nd month combined<BR /> 4th month I have 7 new unique events that had not happened in 1st to 3rd month</P> <P>The plot will be like: </P> <P>1st - 10<BR /> 2nd - 2<BR /> 3rd -5<BR /> 4th - 7 </P> Mon, 26 Feb 2018 06:23:16 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312115#M93496 quahfamili 2018-02-26T06:23:16Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312116#M93497 <P>You should be able to see and understand the moon that first appeared.<BR /> If I do it is such a search sentence.</P> <PRE><CODE>(your search) |stats earliest(_time) as time by event |eval month=strftime(time,"%Y-%m") |stats count as "Unique new count" by month </CODE></PRE> Tue, 27 Feb 2018 04:35:24 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312116#M93497 HiroshiSatoh 2018-02-27T04:35:24Z https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312117#M93498 <P>Hi, <BR /> Thanks for the reply, I got it to work. I did a mistake to dudup the event.</P> <P>Thanks again!</P> Tue, 27 Feb 2018 07:30:13 GMT https://community.splunk.com/t5/Splunk-Search/Chart-event-that-are-unique-over-month/m-p/312117#M93498 quahfamili 2018-02-27T07:30:13Z