I’ve been working through this query and depending on the length of time you are looking back you can use one of the following two methods.
Option 1 – Short time window (30 days or less) concurrent users for a span of 5 minutes.
sourcetype="access_combined" | timechart span=5m dc(clientip) as "Concurrent Users"
Option 2 – Longer time window (Greater than 30 days, perhaps many months or more) concurrent users minimum count, maximum count, and average count. Doing it this way eliminates having too many data points for a traditional timechart.
sourcetype="access_combined" | streamstats time_window=5m dc(clientip) as uniq_user | timechart span=1h min(uniq_user) as "Minimum Concurrent Users" max(uniq_user) as "Maximum Concurrent Users" eval(round(avg(uniq_user),0)) as "Average Concurrent Users"
With Option 2 you can tweak the granularity a bit by modifying the streamstats time_window and the span in the timechart. You’ll still get the maximum concurrent users over a one hour window, as well as the minimum, and an average. I imagine there is a better way to do this, but it’s working for me!