https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390384#M113703 <P>Did this work for you, @joydeep741?</P> Tue, 12 Feb 2019 00:03:59 GMT woodcock 2019-02-12T00:03:59Z https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390380#M113699 <P>I have a query which gives a "per day count of a particular field" in the last 60 days.</P> <P>Example:<BR /> <STRONG>TIME COUNT</STRONG><BR /> 01-11-2018 43<BR /> 01-11-2018 66<BR /> 01-11-2018 87<BR /> .<BR /> .<BR /> .<BR /> 30-12-2018 76<BR /> 31-12-2018 66</P> <P>Now, I wish to SUM these counts in the following way:<BR /> - SUM of first 10 days<BR /> - SUM of first month<BR /> - SUM of second month</P> <P>Can I do that in a single query ?</P> Mon, 31 Dec 2018 06:03:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390380#M113699 joydeep741 2018-12-31T06:03:43Z https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390381#M113700 <P>Events typically have a field extracted from timestamps that represents the month of the timestamp. If your above data doesn't have this then you'll need to use a rex or eval to get it. Then, in order to get the "first ten days" I'd suggest adding a fake zeroth month to that field for those days. Then getting your sums is a matter of splitting a stats sum by month.</P> <P>Assuming you have the month and day fields, try something like the following:<BR /> | eval month=if(month == 11 AND day &lt; 11, mvappend(month-1), month)<BR /> | stats sum(count) by month</P> Mon, 31 Dec 2018 06:51:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390381#M113700 badarsebard 2018-12-31T06:51:28Z https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390382#M113701 <P>@joydeep741,</P> <P>Try</P> <PRE><CODE>"your current search to get the count"|eval mon=strftime(strptime(TIME,"%d-%m-%Y"),"%m")|streamstats count as sno|streamstats count as month by mon |streamstats count(eval(if(month==1,1,null()))) as month |eventstats sum(eval(if(sno&lt;11,count,null()))) as first10,sum(eval(if(month==1,count,null()))) as firstMonth, sum(eval(if(month==2,count,null()))) as secondMonth |fields - mon,month,sno </CODE></PRE> <P>Please note that , here first 10, first month, second month etc are based on the order of your events. This should work for any time range/duration you select</P> Mon, 31 Dec 2018 07:28:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390382#M113701 renjith_nair 2018-12-31T07:28:00Z https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390383#M113702 <P>Add something like this to the end of your existing search:</P> <PRE><CODE>| eval thisMonthStart=relative_time(now(), "@mon") | eval lastMonthStart=relative_time(now(), "-1mon@mon") | eval first10days = if(((_time &gt;= thisMonthStart) AND (_time &lt;= relative_time(thisMonthStart, "+10d"))), 1, 0) | eval thisMonth = if((_time &gt;= lastMonthStart), 1, 0) | eval lastMonth = if(((_time &gt;= lastMonthStart) AND (_time &lt;= thisMonthStart)), 1, 0) | multireport [ | where first10days==1 | stats sum(COUNT) AS first10days ] [ | where thisMonth==1 | stats sum(COUNT) AS thisMonth ] [ | where lastMonth==1 | stats sum(COUNT) AS lastMonth ] </CODE></PRE> Sun, 03 Feb 2019 01:19:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390383#M113702 woodcock 2019-02-03T01:19:00Z https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390384#M113703 <P>Did this work for you, @joydeep741?</P> Tue, 12 Feb 2019 00:03:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-aggregate-logic-based-on-dates/m-p/390384#M113703 woodcock 2019-02-12T00:03:59Z