I am in need of a search that will display the number of Distinct users by index over the past 3 months. I have created the following search and run it over a 3month time span but I am wondering if this is the correct approach.
index=_audit NOT user="n/a" NOT user="splunk-system-user" action="search" info="granted" "search index=indexname" | timechart span=1mon count(_raw) by user
Please Advise Thanks in Advance.