Thanks for your reply. I tried both of these and unfortunately, a blip doesn't get created. It's just the same chart. ... View more

Try this ... your search that gets all the logins | bin _time span=1d | rename COMMENT as "Create one record for each client_user for each day they logged in" | stats count by client_user _time | rename COMMENT as "Create one record for each client_user" | stats min(_time) as mintime max(_time) as maxtime count as Active_Days by client_user | eval today=relative_time(now(),"@d") | rename COMMENT as "calculate number of days" | eval allDays = ( today - mintime )/86400 | eval allWeeks = floor( allDays / 7 ) | eval startDay = tonumber(strftime(mintime,"%w")) | eval endDay = tonumber(strftime(today,"%w")) | eval allWeekDays = 5 * AllWeeks + endDay - startDay + if(startDay>endDay,6,1) ... View more

First, don't use date_month for this. That field is occasionally flaky, and doesn't contain the year, so starting there will give you structural issues in the long run. Second, you can 't do the dc() before you've analyzed which months they logged in, so it won't help you. Try something like this ... your search which returns _time and user_company | timechart span=1mon count by user_company useother=f Now you have one record per month, with a field named after each user_company containing that month's count for that user_company . Unfortunately, there will be count=zero records for every month before their first appearance, so we need to kill those. Let's start by untabling the records so that we have simple events with only three fields each, _time , user_company , and count . The untable command almost looks like magic here, because we happen to be putting things back exactly where they were originally. The first parameter is "the one field on each event to leave alone", i.e. _time . We want each record to have the same _time as timechart put out - the start of the month. The second parameter is "the field to put each other field's name into", i.e. user_company . The timechart will have output a bunch of fields named after each individual user_company value, like "userfoo1" and "userbar5". untable will put that field into the field we decided to call user_company , which happens to be where it originally came from. We could just as well call it MyPlaceForTheTimechartSeriesName The last parameter is "the field to put each other field's value into", i.e. count. We could just as well call it MyPlaceForTheTimechartSeriesValue . | untable _time user_company count | rename COMMENT as "kill all records with count=0 that occur before the first records with count>0" | sort 0 _time user_company | streamstats sum(count) as sumcount by user_company | eval count= case(count>0 OR sumcount>0, count) | where isnotnull(count) | rename COMMENT as "now, if any records exist with count=0, kill the entire user_company" | eventstats min(count) as mincount by user_company | where mincount>0 | rename COMMENT as "finally, count up how many consecutive months the user has logged in" | stats min(_time) as _time count as monthCount by user_company | eval firstMonth=strftime(_time,"%Y-%m") ... View more

Would you be able to help me out with one more thing? I'm trying to look at only business days, rather than all days. I've found this part of a query but I don't know where to put it in the original query to make it work. | eval date_wday = tonumber(strftime(_time, "%w")) | where date_wday>=1 AND date_wday<=5 ... View more

I agree, should always rename aggregated fields. I posted this in rush. I'll fix the answer. ... View more