Hey All,  This may be something very basic, but I can't seem to find exactly what I'm looking to do on the forums. For context, I'm trying to look at device details users have during their actions within an application. Things like IP Addresses, and User Agents. I was hoping to break down the number of unique days an IP address (or similar detail) was used. Using a very basic chart search I can get these numbers:   index=x sourcetype=x [userID that would be passed via subquery]| chart count by _time span=1d ipAddress   _time 1.1.1.1 2.2.2.2 2020-10-15 1 0 2020-10-15 0 0 2020-10-15 1 0 2020-10-15 0 0 2020-10-15 3 9 2020-10-15 2 0   and I would like to convert this into something like: 1.1.1.1 = 4 unique days  2.2.2.2 = 1 unique day The idea being that the userID was passed to this outer query because of some other criteria indicative of a possible compromise (such as a certain sequence of events on that profile, or a known IOC), then this search would determine if there was an outlier IP address that was used during the most recent event. (being able to filter out any events that occurred from an IP/useragent that has already been used for >X unique days) Open to any suggestions, just kind of tinkering around ... View more