Hello,

Previously I had a dashboard that was giving out C level some data, where I was deduping based on the SQL Record number (We pull several SQL databases to a warehouse, where I get the data). The dashboard was showing how many times a day a record was accessed, which included any subsequent accesses by the same agent or different agent.

Since that was done, we had some scope creep. He wants to keep that, but now add a higher level that shows only Unique accesses by agent. IE is Agent one goes into Bob Smith, that counts as 1, and if Agent 1 and 2 both access Bob smith, that is one per agent. But both would be listed when going into individual user reports

The data is in two columns, so I thought combining the end user records would get me the details, and doing a search for one agent works, but now my averages and other data it off. Which is where assistance would be nice.

Original search that gave me all touches by department, including retouches.

index="access"  Department |dedup SQLkey | eval Date=strftime(_time, "%D") | chart count by Department Date limit=100

New search, which did not work as expected.

index="access"  Department  | eval combined_lookup=Client."-".EndUser | eval Date=strftime(_time, "%D") | chart count by Department Date limit=100

New search had some duplicates by some agents. When I added a dedup | dedup combined_lookup it removed all duplicates, not just by an individual agent.

Is there a way to modify this, so it will remove only dupes by an individual agent?

Thanks
Brian