topic Re: How to subtract the first X number from count of a deduped field for a timechart? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-subtract-the-first-X-number-from-count-of-a-deduped-field/m-p/320612#M95811 <P>So if your monthly count for Jan is say 18000, you want to plot only 8000? What should happen if Feb count is less than 10000?</P> Tue, 06 Mar 2018 22:09:31 GMT somesoni2 2018-03-06T22:09:31Z How to subtract the first X number from count of a deduped field for a timechart? https://community.splunk.com/t5/Splunk-Search/How-to-subtract-the-first-X-number-from-count-of-a-deduped-field/m-p/320611#M95810 <P>I have a timechart that visualizes the monthly count of unique locations accessed, but I need to remove the first (in order of time) 10,000 unique locations. Here is my original search that builds the timechart:</P> <PRE><CODE>search resulting in events with various Latitude and Longitude fields, some unique | eval LatNormalized=round(Latitude,5) | eval LongNormalized=round(Longitude,5) | eval LatLongNormalized=LatNormalized+","+LongNormalized | dedup LatLongNormalized sortby -LatNormalized,-LongNormalized | timechart span=1mon count(LatLongNormalized) </CODE></PRE> <P>I tried to use the following to at least identify where the 10k mark was hit, and I could then just modify my time range to exclude that, however it isn't working:</P> <PRE><CODE>same search base as above | eval LatNormalized=round(Latitude,5) | eval LongNormalized=round(Longitude,5) | eval LatLongNormalized=LatNormalized+","+LongNormalized | dedup LatLongNormalized sortby -LatNormalized,-LongNormalized, -date_month | eventstats count(LatLongNormalized) as countLatLongNormalized | streamstats range(countLatLongNormalized) as countRange | head (countRange&lt;10000) </CODE></PRE> <P>This doesn't appear to be doing what I expected either, so I'm thinking I'm going about this completely wrong. Does anyone know how I could eliminate the results from my search containing the first 10,000 unique values of LatLongNormalized and only chart the subsequent counts?</P> Tue, 06 Mar 2018 19:34:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-the-first-X-number-from-count-of-a-deduped-field/m-p/320611#M95810 jpriceit 2018-03-06T19:34:28Z Re: How to subtract the first X number from count of a deduped field for a timechart? https://community.splunk.com/t5/Splunk-Search/How-to-subtract-the-first-X-number-from-count-of-a-deduped-field/m-p/320612#M95811 <P>So if your monthly count for Jan is say 18000, you want to plot only 8000? What should happen if Feb count is less than 10000?</P> Tue, 06 Mar 2018 22:09:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-the-first-X-number-from-count-of-a-deduped-field/m-p/320612#M95811 somesoni2 2018-03-06T22:09:31Z