Timecharts, distinct count and Total distinct coun...

jerwood · ‎12-13-2013

This may be simple, but I am pretty new to splunk in general and my attempts have not proved fruitful yet.

So I have a search returns a timechart of distinct users per State for an event, works fine. Timechart auto breaks it down which can be tuned, no problems there. What I want to do though, is add one final line to my timechart that is a "cumulative distinct count" for the search. The catch is, I want it to be a DC for the WHOLE timeframe, not just a sum of each dc timechart splits up into (aka addtotals col=t is not what I am looking for).

Any thoughts?

jerwood · ‎12-13-2013

Edit: Here is the search string

index=cap type="AcctBadPswd" | geoip fromhost | search fromhost_country_name="United States"|timechart dc(user) by fromhost_region_name limit=55 usenull=0 useother=0

PS: I am having a TERRIBLE time with captchas on this site, worst ever... I can't edit my original post, always fails.

gfuente · ‎12-13-2013

I think you are looking for

...| eventstats dc(users) | ...

Or something similar, please add your base search and sample events to get more information

Timecharts, distinct count and Total distinct count

index=cap type="AcctBadPswd" | geoip fromhost | search fromhost_country_name="United States"|timechart dc(user) by fromhost_region_name limit=55 usenull=0 useother=0

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Timecharts, distinct count and Total distinct count

index=cap type="AcctBadPswd" | geoip fromhost | search fromhost_country_name="United States"|timechart dc(user) by fromhost_region_name limit=55 usenull=0 useother=0

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk