Splunk Search

Chart event that are unique over month

quahfamili
Path Finder

Hi,

I had been wanting to change events that are unique over month but to no avail. I will give an illustration below:

''month'' ''event''
''1'' ''a''
''1'' ''b''
''1'' ''c''
''2'' ''a''
''2'' ''c''
''2'' ''z''
''2'' ''d''
''2'' ''z''
''3'' ''a''
''3'' ''z''
''3'' ''b''
''3'' ''g''
''3'' ''h''
''3'' ''u''
''3'' ''z''
''3'' ''b''

assuming the index=someIndex

index=somIndex | timechart dc(event) as ''Unique new count'' by month

give you:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''4''
''3'' ''6''

The result I want would be:

''month'' ''Unique new count''
''1'' ''3''
''2'' ''2''
''3'' ''3''

Any one can help?

0 Karma
1 Solution

HiroshiSatoh
Champion

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

View solution in original post

quahfamili
Path Finder

Edit: Another example to clarify the question:

1st month I have 10 unique events
2nd month I have 2 new unique events that did not happened in the 1st month
3rd month I have 5 new unique events that had not happened in 1st and 2nd month combined
4th month I have 7 new unique events that had not happened in 1st to 3rd month

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

0 Karma

HiroshiSatoh
Champion

For example, you can count on this search sentence.
However, the month needs a year and month.

(your search)
|table month event
|stats min(month) as month by event
|stats count as "Unique new count" by month

quahfamili
Path Finder

I tried it on my data, but this is what I get.

For the last 3 month. if I use time chart, my value of Jan and Dec are the same, however the Nov are less.

And I think the sequence are not correct. The earlier month should be the super set of all.. and the subsequent months are incremental of the earlier months.

0 Karma

HiroshiSatoh
Champion

I thought that counting the months when the event first appeared could get unique events every month.

Is it different from yours?

0 Karma

quahfamili
Path Finder

I think I put it wrongly in my question. I looking for a more incremental kinda of counting.

For example: 1st month I have 10 unique events, 2nd month I have 2 new unique events that did not happened in the 1st month, 3rd month I have 5 new unique events that had not happened in 1st and 2nd month combine, and 4th month I have 7 new unique events that had not happened in 1st to 3rd month.

The plot will be like:

1st - 10
2nd - 2
3rd -5
4th - 7

0 Karma

HiroshiSatoh
Champion

You should be able to see and understand the moon that first appeared.
If I do it is such a search sentence.

(your search)
|stats earliest(_time) as time by event
|eval month=strftime(time,"%Y-%m")
|stats count as "Unique new count" by month
0 Karma

quahfamili
Path Finder

Hi,
Thanks for the reply, I got it to work. I did a mistake to dudup the event.

Thanks again!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...