Howdy from Dallas Tx,
I'm a new Splunk user and I'm fighting with search.
I am using a subsearch that returns a subset of data for my main search.

I'm attempting to count only one event per day and sum over a week, However my search only returns only a single user event over the whole week custom time period. I know there are multiple events over the week period for my results when I took out the "DEDUP" command.
What I'm trying to get as output is the sum of a single user's event(of multiple) per day for the week.
so output would be user\JDoe 4

index="login" sourcetype="Login"[search index="hrdata" sourcetype="HRFeed" Employee=John Doe | table SignonID ]
| dedup USERID | bucket _time span=1d | stats count as LoginCount by _time, USERID | sort USERID
_time USERID LoginCount
6/29/14 12:00:00.000 AM User\JDoe 1