Thank you Renjith,
I tried some of your ideas but I was unable to get the results I am looking for. I had a look at the documentation you said could help and it did have one function that seems to give me what I want, but not in the format I require. I used | stats dc(date_mday) and that gave me a number that was right on. So in my example, over a 30 day period I can see JDoe was issued at least 24 IPs. One for every day he came to the office. Before I was seeing 60 IPs. So, this is an improvement. I apologize for not mentioning the fact that I need this in a table format.
Unfortunately, I need the output to include the date, hostname and leased_ip in a table. Stats dc(date_mday) does not do that.
Here is the whole string so you can see it how it is in SPLUNK:
index = ib_dhcp_lease_history dhcpd OR dhcpdv6 r - l - e ACTION = Issued LEASE_IP = 10.* jdoe* |rename LEASE_IP as "Leased IP", OPTION12HOST as "Host Name", |convert ctime(_time) as Time |table Time, "Leased IP", "Host Name"
I will keep trying and get back soon.
... View more