Solved: Re: show only unique values over timeseries data w...

mjones414 · ‎03-31-2022

I have a time series data source where an alert writes an event indicating that the number of systems an account is logging into is increasing over a set window of time. in each event series, it lists all the machines including the new one that the account incremented by in a multivalue field.

Broken out by day, I'm trying to only display the unique machines
e.g.
| stats values(IPS) as ips values(computer) as dvcs by user _time

I tried to accomplish this using mvdedup but that is only capable of deduping multi-value in a given event not a full timeseries search result. Would love any advise you may have to accomplish this

somesoni2 · ‎03-31-2022

Give this a try

Your current search giving fields _time user IPS computer
| bucket span=1d _time 
| stats min(_time) as _time by user IPS computer 
| stats values(IPS) as ips values(computer) as dvcs by user _time

View solution in original post

somesoni2 · ‎03-31-2022

Give this a try

Your current search giving fields _time user IPS computer
| bucket span=1d _time 
| stats min(_time) as _time by user IPS computer 
| stats values(IPS) as ips values(computer) as dvcs by user _time

mjones414 · ‎04-01-2022

You, sir, are a true gentlemen and a scholar! Thank you so much!

How to only show only unique values over timeseries data with stats

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!