Splunk Search

Chart event that are unique over month

Path Finder

Hi,

I had been wanting to change events that are unique over month but to no avail. I will give an illustration below:

''month'' ''event''
''1'' ''a''
''1'' ''b''
''1'' ''c''
''2'' ''a''
''2'' ''c''
''2'' ''z''
''2'' ''d''
''2'' ''z''
''3'' ''a''
''3'' ''z''
''3'' ''b''
''3'' ''g''
''3'' ''h''
''3'' ''u''
''3'' ''z''
''3'' ''b''

assuming the index=someIndex

index=somIndex | timechart dc(event) as ''Unique new count'' by month

give you:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''4''
''3'' ''6''

The result I want would be:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''2''
''3'' ''3''

Any one can help?

0 Karma
1 Solution

Champion

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

View solution in original post

Path Finder

Edit: Another example to clarify the question:

1st month I have 10 unique events
2nd month I have 2 new unique events that did not happened in the 1st month
3rd month I have 5 new unique events that had not happened in 1st and 2nd month combined
4th month I have 7 new unique events that had not happened in 1st to 3rd month

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

0 Karma

Champion

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

View solution in original post

Path Finder

I tried it on my data, but this is what I get.

For the last 3 month. if I use time chart, my value of Jan and Dec are the same, however the Nov are less.

And I think the sequence are not correct. The earlier month should be the super set of all.. and the subsequent months are incremental of the earlier months.

0 Karma

Champion

I thought that counting the months when the event first appeared could get unique events every month.

Is it different from yours?

0 Karma

Path Finder

I think I put it wrongly in my question. I looking for a more incremental kinda of counting.

For example: 1st month I have 10 unique events, 2nd month I have 2 new unique events that did not happened in the 1st month, 3rd month I have 5 new unique events that had not happened in 1st and 2nd month combine, and 4th month I have 7 new unique events that had not happened in 1st to 3rd month.

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

0 Karma

Champion

You should be able to see and understand the moon that first appeared.
If I do it is such a search sentence.

(your search)
|stats earliest(_time) as time by event
|eval month=strftime(time,"%Y-%m")
|stats count as "Unique new count" by month
0 Karma

Path Finder

Hi,
Thanks for the reply, I got it to work. I did a mistake to dudup the event.

Thanks again!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!