topic Re: How to group events by date? in Splunk Search

How to group events by date?

thl8490123 — Sat, 11 Jul 2020 16:51:38 GMT

Hi,

I manage to get the view i want using below search command.

May I know how to group the events by Month_Year format and display on the table besides the events?

Current View

Expected

Re: How to group events by date?

niketn — Sat, 11 Jul 2020 18:56:54 GMT

@thl8490123 based on the screenshot and SPL provided in the question, you are better off running tstats query which will perform way better.

Please try out the following SPL and confirm

| tstats count where index=main source IN ("wineventlog:application","wineventlog:System","wineventlog:security") by host _time source span=1mon | eval {source}=count | fields - source count

Re: How to group events by date?

to4kawa — Sat, 11 Jul 2020 22:43:48 GMT

I tried to follow the image.

| tstats count where index=main source IN ("wineventlog:application","wineventlog:System","wineventlog:security") by host _time source span=1mon | eval time=strftime(_time,"%b %Y") , hosts=host."::".time | fields - host _time | xyseries hosts source count | rex field=hosts "(?<host>.*)::(?<month>.*)" | table host month win* | addcoltotals | appendpipe [ tail 1 | addtotals | eval wineventlog:application = round('wineventlog:application' / Total * 100,2) | eval wineventlog:security = round('wineventlog:security' / Total * 100,2) | eval wineventlog:system = round('wineventlog:system' / Total * 100,2) | fields - Total]

I am not able to use foreach in subsearch.

| foreach win* [ eval <<FIELD>> = round(<<FIELD>> / Total * 100, 2) ]

I'm disappointment.

Re: How to group events by date?

niketn — Sun, 12 Jul 2020 03:59:01 GMT

@to4kawa The sum total and percent in the screenshot is from the built in formatting option for the Table. So SPL is not really needed!

Re: How to group events by date?

to4kawa — Sun, 12 Jul 2020 07:57:51 GMT

I've never heard of it before. 😅