The best way would be to use sistats and a summary, or alternatively, use report acceleration. With report acceleration, just set up your search and tell Splunk to accelerate, and that should do it.
If you summarize yourself, then on a daily basis (and you can backfill later), you run a;
... | sistats dc(user) by x,y,z
and store that to a summary. Then to get your counts:
index=my_summary_index name=my_summary_job | stats dc(user)
(or ... | stats dc(user) by x,y,z or ... | stats dc(user) by x,y ).
the sistats command will have saved the right data, and the stats command will know how to handle what sistats did. Yes, it is doing slightly clever things under the hood.
... View more