Solved: Re: Chart event that are unique over month

quahfamili · ‎02-25-2018

Hi,

I had been wanting to change events that are unique over month but to no avail. I will give an illustration below:

''month'' ''event''
''1'' ''a''
''1'' ''b''
''1'' ''c''
''2'' ''a''
''2'' ''c''
''2'' ''z''
''2'' ''d''
''2'' ''z''
''3'' ''a''
''3'' ''z''
''3'' ''b''
''3'' ''g''
''3'' ''h''
''3'' ''u''
''3'' ''z''
''3'' ''b''

assuming the index=someIndex

index=somIndex | timechart dc(event) as ''Unique new count'' by month

give you:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''4''
''3'' ''6''

The result I want would be:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''2''
''3'' ''3''

Any one can help?

HiroshiSatoh · ‎02-25-2018

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

View solution in original post

quahfamili · ‎02-25-2018

Edit: Another example to clarify the question:

1st month I have 10 unique events
2nd month I have 2 new unique events that did not happened in the 1st month
3rd month I have 5 new unique events that had not happened in 1st and 2nd month combined
4th month I have 7 new unique events that had not happened in 1st to 3rd month

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

HiroshiSatoh · ‎02-25-2018

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

quahfamili · ‎02-25-2018

I tried it on my data, but this is what I get.

For the last 3 month. if I use time chart, my value of Jan and Dec are the same, however the Nov are less.

And I think the sequence are not correct. The earlier month should be the super set of all.. and the subsequent months are incremental of the earlier months.

HiroshiSatoh · ‎02-25-2018

I thought that counting the months when the event first appeared could get unique events every month.

Is it different from yours?

quahfamili · ‎02-25-2018

I think I put it wrongly in my question. I looking for a more incremental kinda of counting.

For example: 1st month I have 10 unique events, 2nd month I have 2 new unique events that did not happened in the 1st month, 3rd month I have 5 new unique events that had not happened in 1st and 2nd month combine, and 4th month I have 7 new unique events that had not happened in 1st to 3rd month.

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

HiroshiSatoh · ‎02-26-2018

You should be able to see and understand the moon that first appeared.
If I do it is such a search sentence.

(your search)
|stats earliest(_time) as time by event
|eval month=strftime(time,"%Y-%m")
|stats count as "Unique new count" by month

quahfamili · ‎02-26-2018

Hi,
Thanks for the reply, I got it to work. I did a mistake to dudup the event.

Thanks again!

Chart event that are unique over month

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Chart event that are unique over month

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability