https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438795#M166936 <P>@jip31,<BR /> Try extracting the month(with year)and do the stats</P> <PRE><CODE>index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | eval time = strftime(_time, "%m/%d/%Y %H:%M") | dedup time | sort -time | eval mon=strftime(_time,"%Y-%m")|stats count by mon,type </CODE></PRE> <P>Also, if you are using <CODE>dedup</CODE> by time , then it deletes all duplicates just based on time and might affect your count </P> Fri, 19 Oct 2018 14:07:56 GMT renjith_nair 2018-10-19T14:07:56Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438794#M166935 <P>Hello,</P> <P>I use the request below</P> <PRE><CODE>index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | eval time = strftime(_time, "%m/%d/%Y %H:%M") | dedup time | sort -time | table time host Type EventCode Message </CODE></PRE> <P>I try to do a count by type and by time, but for time, i just need to take into account the month.</P> <P>I need the same things but by type, by host, and by month.</P> <P>could you help me please???</P> Fri, 19 Oct 2018 13:48:31 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438794#M166935 jip31 2018-10-19T13:48:31Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438795#M166936 <P>@jip31,<BR /> Try extracting the month(with year)and do the stats</P> <PRE><CODE>index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | eval time = strftime(_time, "%m/%d/%Y %H:%M") | dedup time | sort -time | eval mon=strftime(_time,"%Y-%m")|stats count by mon,type </CODE></PRE> <P>Also, if you are using <CODE>dedup</CODE> by time , then it deletes all duplicates just based on time and might affect your count </P> Fri, 19 Oct 2018 14:07:56 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438795#M166936 renjith_nair 2018-10-19T14:07:56Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438796#M166937 <P>I'm not sure to understand your request, but I think it should look like someting like that : </P> <PRE><CODE>index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | timechart span=1month count by Type </CODE></PRE> <P>Is that what you're looking for ? </P> Fri, 19 Oct 2018 14:10:18 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438796#M166937 3no 2018-10-19T14:10:18Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438797#M166938 <P>Try this-</P> <PRE><CODE>index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | bin span=1mon _time| stats count values(Message) values(EventCode) by Type host _time </CODE></PRE> Sun, 21 Oct 2018 20:29:48 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438797#M166938 Vijeta 2018-10-21T20:29:48Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438798#M166939 <P>Hi i have no result with your query even if when i do index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | i have results</P> Mon, 22 Oct 2018 05:32:47 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438798#M166939 jip31 2018-10-22T05:32:47Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438799#M166940 <P>hi its close of want i want but there is mistake in the count<BR /> on my computer i have :<BR /> - october : 3 Avertissement with EventCode 51<BR /> - September : 2 Avertissement with EventCode 51 and 4 Erreurs with EventCode 11<BR /> So i have 9 events<BR /> In your count i have for example 386 Avertissements with EventCode 51 in September!</P> Mon, 22 Oct 2018 05:50:06 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438799#M166940 jip31 2018-10-22T05:50:06Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438800#M166941 <P>@jip31 If you want to do the count by Eventcode then try the below code </P> <PRE><CODE>index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | bin span=1mon _time| stats count values(Message) by EventCode Type host _time </CODE></PRE> Mon, 22 Oct 2018 05:54:25 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438800#M166941 Vijeta 2018-10-22T05:54:25Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438801#M166942 <P>Yes but my main problem is the count which is false<BR /> when i look my events i have a lot of events which the same time<BR /> for example : 10/04/2018 05:44:47 AM<BR /> due to this piece of code bin span=1mon _time i cant do a dedup time<BR /> have you an idea please??</P> Mon, 22 Oct 2018 07:21:23 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438801#M166942 jip31 2018-10-22T07:21:23Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438802#M166943 <P>@jip31,<BR /> are you getting results after <CODE>eval mon=strftime(_time,"%Y-%m")</CODE> and also change <CODE>type</CODE> to <CODE>Type</CODE></P> Mon, 22 Oct 2018 11:05:05 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438802#M166943 renjith_nair 2018-10-22T11:05:05Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438803#M166944 <P>yes it was due to Type renjith, many thanks</P> Mon, 22 Oct 2018 11:49:44 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438803#M166944 jip31 2018-10-22T11:49:44Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438804#M166945 <P>To remove duplicates on time and count by eventcode:</P> <PRE><CODE>index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | dedup _time | bin span=1mon _time| stats count values(Message) by EventCode Type host _time </CODE></PRE> <P>If the field date_month is available, you could use that instead of _time, if you wished.</P> Mon, 22 Oct 2018 12:18:04 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-the-following-stats-data-query/m-p/438804#M166945 landen99 2018-10-22T12:18:04Z