The distinct count functions (distinct_count, low_distinct_count, and high_distinct_count) measure the uniqueness (cardinality) of values for a particular field. There are many possible uses of this function, particularly when used in the context of population analysis (see next) to uncover entities that are logging an overly diverse set of field values. A good classic example is looking for IP addresses that are engaged in port scanning, accessing an unusually large number of distinct destination port numbers on remote machines:

{ 
  "function" : "high_distinct_count", 
  "field_name" : "dest_port", 
  "over_field_name": "src_ip" 
} 

Notice that the src_ip field is defined as the over field, thus invoking population analysis and comparing the activity of source IPs against each other. An additional discussion on population analysis follows next.