so I have 4 summary indexes

- source=summary_user
That contains this query:

(host=pnr-proxy-prod* OR host=master*.menlosecurity.com*) source=/var/log/pnr/pnr-enforcement*.log user_id=*
| eval ms_region=rtrim(ms_zone, "abcdefghijklmnop")
| bucket time span=1h
| dedup 1 keepempty=false _time ms_region user_id browser
| eval anon_user_id = if (like(user_id, "anon%"), user_id, null)
| eval named_user_id = if (NOT like(user_id, "anon_%"), user_id, null)
| table _time ms_region user_id named_user_id, anon_user_id browser, tenant_id
| collect index=summary source=summary_users

- source=summary_daily_users

index=summary source="summary_users"
|stats dc(user_id) as user_id
dc(named_user_id) as named_user_id
dc(anon_user_id) as anon_user_id
by _time, ms_region, tenant_id, browser
|collect index=summary source=summary_daily_users
|sort -num(_time)

- source=summary_monthly_users

index=summary source="summary_users"
|stats dc(user_id) as user_id
dc(named_user_id) as named_user_id
dc(anon_user_id) as anon_user_id
by _time, ms_region, tenant_id
|collect index=summary source=summary_monthly_users
|sort -num(_time)

but its no the result I expect to get for example

01:00 Users (A, B, C) - named_users=3

02:00 Users (A, B, C, D) - named_users=4

03:00 Users (A, C, D) - named_users=3

The "Daily" version of this should report 4 users. The current query will report 10 users.