https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651584#M225264 <P>Which one worked? Can you accept the one that worked, so the solution as there are multiple suggestions - it's not clear if you don't see the hierarchy, which one you are replying to.</P><P>&nbsp;</P> Sat, 22 Jul 2023 07:37:57 GMT bowesmana 2023-07-22T07:37:57Z https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/650993#M225258 <P>Hi and just reaching out as stumped. Very grateful for assistance. This query returns the following in the statistics tab:<BR /><BR /></P><P>index="ds" (tags_rule="Jason" OR tags_rule="Bill" OR tags_rule=”Smithy”)<BR />| timechart span=1d dc(Device_Name) as Number_of_Devices by tags_rule<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="csar5634_0-1689684061965.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26327iD544CCD5960622EE/image-size/medium?v=v2&amp;px=400" role="button" title="csar5634_0-1689684061965.png" alt="csar5634_0-1689684061965.png" /></span></P><P>The next step i'd like to do is then count up all the values in the columns and group them by the respective month. So it would look like the below. Just not having any luck figuring out the right query. Thanks in advance!<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="csar5634_1-1689684222679.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26328iED35AC48507E42EB/image-size/medium?v=v2&amp;px=400" role="button" title="csar5634_1-1689684222679.png" alt="csar5634_1-1689684222679.png" /></span></P><P>&nbsp;</P> Tue, 18 Jul 2023 12:45:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/650993#M225258 csar5634 2023-07-18T12:45:00Z https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/650994#M225259 <P>1. You don't need to timechart per day if you want to finally aggregate by month <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>2. Render a month from the date using</P><PRE>| eval month=strftime(_time,"%m")</PRE><P>And now you can use that field to split your stats by</P><PRE>| stats dc(Device_Name) as 'Number of Devices' by tags_rule month</PRE><P>So your search effectively looks like this:</P><PRE>index="ds" (tags_rule="Jason" OR tags_rule="Bill" OR tags_rule=”Smithy”)<BR />| eval month=strftime(_time,"%m")<BR />| stats dc(Device_Name) as 'Number of Devices' by tags_rule month</PRE><P>Finally you can do xyseries to print it in a tabular form if you want.</P><P>Theoretically, you could use the default time-related fields but I don't trust them.</P> Tue, 18 Jul 2023 13:08:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/650994#M225259 PickleRick 2023-07-18T13:08:07Z https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651020#M225260 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258813">@csar5634</a>&nbsp;You are using DC to calculate unique devices per day but want the total by month, i.e. in your example Jason has a total of 4. If that is the same device you still want SUM of those DC counts?</P><P>If it's the same device or different devices you still want the result to be 4?</P><P>If you want that to be 4 then just add the timechart&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| timechart span=1mon sum(*) as *</LI-CODE><P>if you then want to change the date format to be MMM-YY instead of YYYY-MM just add this to the end</P><LI-CODE lang="markup">| fieldformat _time=strftime(_time, "%b-%y")</LI-CODE><P>if you want the DC() to reflect unique devices in the whole month then change the initial span to span=1mon</P><P>&nbsp;</P> Tue, 18 Jul 2023 15:10:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651020#M225260 bowesmana 2023-07-18T15:10:37Z https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651074#M225261 <P>Awesome, this one worked. So simple in the end. Thanks for the prompt response.</P> Wed, 19 Jul 2023 07:15:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651074#M225261 csar5634 2023-07-19T07:15:58Z https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651075#M225262 <P>Thanks for responding. I couldn't get the output from the modification you gave, apols if my question wasn't clear enough. I appreciate you responding.</P> Wed, 19 Jul 2023 07:17:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651075#M225262 csar5634 2023-07-19T07:17:18Z https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651584#M225264 <P>Which one worked? Can you accept the one that worked, so the solution as there are multiple suggestions - it's not clear if you don't see the hierarchy, which one you are replying to.</P><P>&nbsp;</P> Sat, 22 Jul 2023 07:37:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651584#M225264 bowesmana 2023-07-22T07:37:57Z https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651666#M225279 <P>Hey and i accepted your's as the solution. It should be noted as such. Thanks.</P> Mon, 24 Jul 2023 01:09:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-the-count-of-daily-events-by-their-month/m-p/651666#M225279 csar5634 2023-07-24T01:09:18Z