Solved: Re: How to search count by unique ID?

raindrop18 · ‎08-28-2014

I have this string, which extracts and counts permit user per class

index="mysite" sourcetype="Access" AND Permit | rex ^\S+\s+\S+\s+(?\S+) | timechart count by city

now I want to count not just number of permit user but unique permit user, so I have included the ID field

index="mysite" sourcetype="Access" AND "Permit" AND "ID" | rex ^\S+\s+\S+\s+(?\S+) | timechart count by city

how I can include ID to be the count for only the unique permit user. my expectation is to have

unique ID + permit + city

somesoni2 · ‎08-28-2014

This would be my guess without the sample data.

index="mysite" sourcetype="Access" AND "Permit" AND "ID" | rex ^S+s+S+s+(?<city>S+)| timechart count dc(ID) as unique by city

somesoni2 · ‎08-28-2014

This would be my guess without the sample data.

index="mysite" sourcetype="Access" AND "Permit" AND "ID" | rex ^S+s+S+s+(?<city>S+)| timechart count dc(ID) as unique by city

raindrop18 · ‎08-28-2014

thanks, it is very helpfull. I am simply use "stats dc(id) by city" and work.

How to search count by unique ID?