There';s no need to dedup before counting. The distinct_count function will give the number of unique values in a given field. sourcetype=x index=x method="Explicit Proxy"
| fields app,category,activity, user, bytes
| stats dc(user) as users, sum(bytes) as totalBytes by app I'm not sure anyone here can say if the results of the second query are correct or not because we don't have access to your data.
... View more