https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610407#M212268 <P>My search</P><P>&nbsp;</P><P>index=action AND "True" | dedup _time| stats count as total1| appendcols [search index=action AND "[Home]" | dedup _time| stats count as total2] | appendcols [search index=action AND "False" | dedup _time| stats count as False]| eval True=(total1-total2)|eval False=round(False/(False+True)*100,2)| table False</P> Mon, 22 Aug 2022 23:45:58 GMT SS1 2022-08-22T23:45:58Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610386#M212257 <P>Hi,</P><P>I have my current search giving below output, I want to have stats listed by Month. Can someone help on this one</P><P>Current Search:&nbsp; <STRONG>my search |&nbsp;&nbsp;eval True=(total1-total2) | eval False=round(False/(True+False)*100,2) | table False</STRONG></P><P>Output:&nbsp; &nbsp; &nbsp; &nbsp; <STRONG>False</STRONG></P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <STRONG>42.12</STRONG></P><P>&nbsp;</P><P><STRONG>Desired Output:&nbsp;</STRONG></P><P>Month&nbsp; &nbsp; &nbsp; False</P><P>August&nbsp; &nbsp; 42.12</P><P>July&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;xx.xx</P><P>june&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;xx.xx</P><P>.</P><P>.</P><P>.</P> Mon, 22 Aug 2022 22:59:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610386#M212257 SS1 2022-08-22T22:59:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610398#M212260 <LI-CODE lang="markup">| bin _time span=1mon</LI-CODE> Mon, 22 Aug 2022 22:35:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610398#M212260 ITWhisperer 2022-08-22T22:35:47Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610401#M212263 <P>It still doesn't give monthly stats, still shows just the value</P> Mon, 22 Aug 2022 23:01:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610401#M212263 SS1 2022-08-22T23:01:35Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610406#M212267 <P>with bin command, you would normally then use "stats xxxx by _time" to then group values according to the month and then you do your true/false calculations on that.</P><P>What is in 'my search' part of your search?</P> Mon, 22 Aug 2022 23:39:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610406#M212267 bowesmana 2022-08-22T23:39:20Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610407#M212268 <P>My search</P><P>&nbsp;</P><P>index=action AND "True" | dedup _time| stats count as total1| appendcols [search index=action AND "[Home]" | dedup _time| stats count as total2] | appendcols [search index=action AND "False" | dedup _time| stats count as False]| eval True=(total1-total2)|eval False=round(False/(False+True)*100,2)| table False</P> Mon, 22 Aug 2022 23:45:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610407#M212268 SS1 2022-08-22T23:45:58Z https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610429#M212280 <P>OK, without knowing your data, I would suggest that using appendcols is not the best way to approach the problem.&nbsp; I am not sure why you are deduping _time.&nbsp;</P><P>You have events in index=action that can have</P><P>a) any ONE of the 3 possible (True, [Home], False)<BR />b) one or more of&nbsp;(True, [Home], False)</P><P>and as you are deduping _time, it may be that you have more than one with the identical _time value</P><P>Depending on the answers to the above, this may be an option</P><LI-CODE lang="markup">index=action AND ("True" OR "[Home]" OR "False") | eval T=if(match(_raw, "(?i)True"), 1, 0) | eval H=if(match(_raw, "(?i)\[Home\]"), 1, 0) | eval F=if(match(_raw, "(?i)False"), 1, 0) | bin _time span=1mon | stats sum(T) as T sum(H) as H sum(F) as F count by _time | eval True=(T-H) | eval False=round(F/(F+True)*100,2) | table False</LI-CODE><P>A single search to collect all data. Some eval statements to determine the type of data you are looking at and then the bin of time for 1 month the stats by _time (i.e. 1 month)</P><P>Then the calculates for the True/Home/False values.</P><P>However, your reason for deduping _time is significant. If there is more than one T, H or F at _time and you want to disregard those, this is not right as it will count those twice.</P><P>You could add a&nbsp;</P><LI-CODE lang="markup">| stats max(T) as T max(H) as H max(F) as F by _time</LI-CODE><P>before the | bin command to get either a 1 or 0 for time for each value of _time before you aggregate to 1 month.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Aug 2022 04:43:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-stats-by-month/m-p/610429#M212280 bowesmana 2022-08-23T04:43:52Z