Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart event that are unique over month

quahfamili
Path Finder
‎02-25-2018 07:28 PM

Hi,

I had been wanting to change events that are unique over month but to no avail. I will give an illustration below:

''month'' ''event''
''1'' ''a''
''1'' ''b''
''1'' ''c''
''2'' ''a''
''2'' ''c''
''2'' ''z''
''2'' ''d''
''2'' ''z''
''3'' ''a''
''3'' ''z''
''3'' ''b''
''3'' ''g''
''3'' ''h''
''3'' ''u''
''3'' ''z''
''3'' ''b''

assuming the index=someIndex

index=somIndex | timechart dc(event) as ''Unique new count'' by month

give you:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''4''
''3'' ''6''

The result I want would be:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''2''
''3'' ''3''

Any one can help?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎02-25-2018 08:41 PM

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

View solution in original post

Reply
Solved! Jump to solution

quahfamili
Path Finder
‎02-25-2018 10:23 PM

Edit: Another example to clarify the question:

1st month I have 10 unique events
2nd month I have 2 new unique events that did not happened in the 1st month
3rd month I have 5 new unique events that had not happened in 1st and 2nd month combined
4th month I have 7 new unique events that had not happened in 1st to 3rd month

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎02-25-2018 08:41 PM

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

Reply
Solved! Jump to solution

quahfamili
Path Finder
‎02-25-2018 09:47 PM

I tried it on my data, but this is what I get.

For the last 3 month. if I use time chart, my value of Jan and Dec are the same, however the Nov are less.

And I think the sequence are not correct. The earlier month should be the super set of all.. and the subsequent months are incremental of the earlier months.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎02-25-2018 10:06 PM

I thought that counting the months when the event first appeared could get unique events every month.

Is it different from yours?

0 Karma
Reply
Solved! Jump to solution

quahfamili
Path Finder
‎02-25-2018 10:21 PM

I think I put it wrongly in my question. I looking for a more incremental kinda of counting.

For example: 1st month I have 10 unique events, 2nd month I have 2 new unique events that did not happened in the 1st month, 3rd month I have 5 new unique events that had not happened in 1st and 2nd month combine, and 4th month I have 7 new unique events that had not happened in 1st to 3rd month.

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎02-26-2018 08:35 PM

You should be able to see and understand the moon that first appeared.
If I do it is such a search sentence.

(your search)
|stats earliest(_time) as time by event
|eval month=strftime(time,"%Y-%m")
|stats count as "Unique new count" by month
0 Karma
Reply
Solved! Jump to solution

quahfamili
Path Finder
‎02-26-2018 11:30 PM

Hi,
Thanks for the reply, I got it to work. I did a mistake to dudup the event.

Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...