Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timecharts, distinct count and Total distinct count

jerwood
New Member
‎12-13-2013 06:28 AM

This may be simple, but I am pretty new to splunk in general and my attempts have not proved fruitful yet.

So I have a search returns a timechart of distinct users per State for an event, works fine. Timechart auto breaks it down which can be tuned, no problems there. What I want to do though, is add one final line to my timechart that is a "cumulative distinct count" for the search. The catch is, I want it to be a DC for the WHOLE timeframe, not just a sum of each dc timechart splits up into (aka addtotals col=t is not what I am looking for).

Any thoughts?

Tags (2)
0 Karma
Reply

jerwood
New Member
‎12-13-2013 06:58 AM

Edit: Here is the search string

index=cap type="AcctBadPswd" | geoip fromhost | search fromhost_country_name="United States"|timechart dc(user) by fromhost_region_name limit=55 usenull=0 useother=0

PS: I am having a TERRIBLE time with captchas on this site, worst ever... I can't edit my original post, always fails.

0 Karma
Reply

gfuente
Motivator
‎12-13-2013 06:37 AM

I think you are looking for

...| eventstats dc(users) | ...

Or something similar, please add your base search and sample events to get more information

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...