A security team needs to create a report that shows the number of distinct users who triggered a firewall block each day for the past 30 days. Which search and visualization combination should be used?
Trap 1: Use `dc(user)` with `chart` and a column chart
Chart without time-based axis doesn't show daily trend.
Trap 2: Use `top user` with `timechart` and a pie chart
Top shows most frequent users, not distinct count per day.
Trap 3: Use `count` with `chart` and a bar chart
Counts events, not distinct users.
- A
Use `dc(user)` with `chart` and a column chart
Why wrong: Chart without time-based axis doesn't show daily trend.
- B
Use `top user` with `timechart` and a pie chart
Why wrong: Top shows most frequent users, not distinct count per day.
- C
Use `dc(user)` with `timechart` and a column chart
Correctly counts distinct users per day over time.
- D
Use `count` with `chart` and a bar chart
Why wrong: Counts events, not distinct users.