https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740597#M240460 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_0-1741015558161.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/37941i8532A6BE14DDE884/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_0-1741015558161.png" alt="kiran_panchavat_0-1741015558161.png" /></span></P><P>&nbsp;</P> Mon, 03 Mar 2025 15:26:03 GMT kiran_panchavat 2025-03-03T15:26:03Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740594#M240459 <P>I have this search to see logins to our splunk environment:</P><P>&nbsp; index = _audit user="*" action="login attempt" info=succeeded | stats count by user</P><P>mgmt is asking to see the same data but instead of a "count" column, they want a column for each month. I assume it will be a table of some sort but can't figure out the date summarizing.</P><P>Here is an example of the individual entry:</P><P><SPAN class="">Audit:</SPAN><SPAN>[</SPAN><SPAN class=""><SPAN class="">timestamp</SPAN>=03-03-2025</SPAN> <SPAN class="">09:10:52.577</SPAN><SPAN>, </SPAN><SPAN class="">user=xxxxxx</SPAN><SPAN>, </SPAN><SPAN class="">action=login</SPAN> <SPAN class="">attempt</SPAN><SPAN>, </SPAN><SPAN class="">info=succeeded</SPAN> <SPAN class="">reason=user-initiated</SPAN> <SPAN class="">useragent=</SPAN><SPAN>"</SPAN><SPAN class="">Mozilla/5.0</SPAN><SPAN> (</SPAN><SPAN class="">Windows</SPAN> <SPAN class="">NT</SPAN> <SPAN class="">10.0</SPAN><SPAN>; </SPAN><SPAN class="">Win64</SPAN><SPAN>; </SPAN><SPAN class="">x64</SPAN><SPAN>) </SPAN><SPAN class="">AppleWebKit/537.36</SPAN><SPAN> (</SPAN><SPAN class="">KHTML</SPAN><SPAN>, </SPAN><SPAN class="">like</SPAN> <SPAN class="">Gecko</SPAN><SPAN>) </SPAN><SPAN class="">Chrome/133.0.0.0</SPAN> <SPAN class="">Safari/537.36</SPAN><SPAN>" </SPAN><SPAN class="">clientip=xxx.xxx.xxx.x</SPAN><SPAN>" </SPAN><SPAN class="">method=LDAP</SPAN><SPAN>" </SPAN><SPAN class="">session=17a169464fada764a1bac7310cac4c47]</SPAN></P><P>columns should be:&nbsp; user&nbsp; &nbsp;monthA&nbsp; &nbsp; monthB&nbsp; &nbsp;monthc</P><P>with the counts under each month</P><P>Thanks!</P> Mon, 03 Mar 2025 15:17:57 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740594#M240459 mvasquez21 2025-03-03T15:17:57Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740597#M240460 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_0-1741015558161.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/37941i8532A6BE14DDE884/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_0-1741015558161.png" alt="kiran_panchavat_0-1741015558161.png" /></span></P><P>&nbsp;</P> Mon, 03 Mar 2025 15:26:03 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740597#M240460 kiran_panchavat 2025-03-03T15:26:03Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740598#M240461 <P>could i ask of you to paste that so my bad typing doesn't mess it up? Thanks so much!</P><P>&nbsp;</P> Mon, 03 Mar 2025 15:31:17 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740598#M240461 mvasquez21 2025-03-03T15:31:17Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740599#M240462 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><PRE>| makeresults count=20 <BR />| eval _time=relative_time(now(), "-".(random()%180)."d") <BR />| eval user="user".tostring(1+random()%5) <BR />| eval action="login attempt", info="succeeded" <BR />| eval month=strftime(_time, "%b %Y") <BR />| chart count over user by month</PRE> Mon, 03 Mar 2025 15:34:47 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740599#M240462 kiran_panchavat 2025-03-03T15:34:47Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740600#M240463 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P>Try this&nbsp;</P><PRE>index = _audit user="*" action="login attempt" info=succeeded<BR />| eval _time=relative_time(now(), "-".(random()%180)."d") <BR />| eval month=strftime(_time, "%b %Y") <BR />| chart count over user by month</PRE><P>&nbsp;</P> Mon, 03 Mar 2025 15:44:49 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740600#M240463 kiran_panchavat 2025-03-03T15:44:49Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740603#M240464 <P>when using this one:</P><PRE>| makeresults count=20 <BR />| eval _time=relative_time(now(), "-".(random()%180)."d") <BR />| eval user="user".tostring(1+random()%5) <BR />| eval action="login attempt", info="succeeded" <BR />| eval month=strftime(_time, "%b %Y") <BR />| chart count over user by month<BR /><BR />my results don't show the username:</PRE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mvasquez21_0-1741016486381.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/37942iAE0E458D9DE726B1/image-size/medium?v=v2&amp;px=400" role="button" title="mvasquez21_0-1741016486381.png" alt="mvasquez21_0-1741016486381.png" /></span></P><P>&nbsp;</P> Mon, 03 Mar 2025 15:41:33 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740603#M240464 mvasquez21 2025-03-03T15:41:33Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740604#M240465 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P>makeresults is a <STRONG>command in Splunk</STRONG> that generates synthetic (fake) data for testing, debugging, and query development <STRONG>without using an actual index</STRONG>. You have to pass your original query.&nbsp;</P><H3>&nbsp;</H3> Mon, 03 Mar 2025 15:42:43 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740604#M240465 kiran_panchavat 2025-03-03T15:42:43Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740605#M240466 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P>You have to use this query:</P><PRE>index = _audit user="*" action="login attempt" info=succeeded<BR />| eval _time=relative_time(now(), "-".(random()%180)."d") <BR />| eval month=strftime(_time, "%b %Y") <BR />| chart count over user by month</PRE> Mon, 03 Mar 2025 15:44:24 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740605#M240466 kiran_panchavat 2025-03-03T15:44:24Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740606#M240467 <P>when i try to append my search with it i get this error:&nbsp;<SPAN>Error in 'makeresults' command: This command must be the first command of a search.</SPAN></P><P>index = _audit user="*" action="login attempt" info=succeeded | makeresults count=20<BR />| eval _time=relative_time(now(), "-".(random()%180)."d")<BR />| eval user="user".tostring(1+random()%5)<BR />| eval action="login attempt", info="succeeded"<BR />| eval month=strftime(_time, "%b %Y")<BR />| chart count over user by month</P><P>&nbsp;</P> Mon, 03 Mar 2025 15:44:40 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740606#M240467 mvasquez21 2025-03-03T15:44:40Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740608#M240468 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P>Don't append makeresults in your query:-</P><P>Use this&nbsp;</P><PRE>index = _audit user="*" action="login attempt" info=succeeded<BR />| eval _time=relative_time(now(), "-".(random()%180)."d") <BR />| eval month=strftime(_time, "%b %Y") <BR />| chart count over user by month</PRE> Mon, 03 Mar 2025 15:45:43 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740608#M240468 kiran_panchavat 2025-03-03T15:45:43Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740609#M240469 <P>perfect! you are a geniius</P> Mon, 03 Mar 2025 15:47:14 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740609#M240469 mvasquez21 2025-03-03T15:47:14Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740611#M240470 <P>one last thing. this is listing the months alphabetically. any way to do it chronologically?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mvasquez21_0-1741017367701.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/37943iD34B7794B9F36162/image-size/medium?v=v2&amp;px=400" role="button" title="mvasquez21_0-1741017367701.png" alt="mvasquez21_0-1741017367701.png" /></span></P><P>&nbsp;</P> Mon, 03 Mar 2025 15:56:14 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740611#M240470 mvasquez21 2025-03-03T15:56:14Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740614#M240472 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P>Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable format, like a timestamp or a year-month string (e.g., "2024-01").</P><PRE>index = _audit user="*" action="login attempt" info=succeeded<BR />| eval _time=relative_time(now(), "-".(random()%180)."d") <BR />| eval month=strftime(_time, "%Y-%m-%d"), sort_month=strftime(_time, "%Y-%m-%d") <BR />| chart count over user by month <BR />| sort + sort_month</PRE> Mon, 03 Mar 2025 16:09:13 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740614#M240472 kiran_panchavat 2025-03-03T16:09:13Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740616#M240473 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207748">@mvasquez21</a>&nbsp;</P><P>Refer my output:-</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_0-1741018212912.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/37944iE4BFA91556BD35E7/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_0-1741018212912.png" alt="kiran_panchavat_0-1741018212912.png" /></span></P><P>&nbsp;</P> Mon, 03 Mar 2025 16:10:19 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740616#M240473 kiran_panchavat 2025-03-03T16:10:19Z https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740619#M240474 <P>that last one seems to undo the month summarizing</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mvasquez21_0-1741019322688.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/37945iE66C97321D5590DE/image-size/medium?v=v2&amp;px=400" role="button" title="mvasquez21_0-1741019322688.png" alt="mvasquez21_0-1741019322688.png" /></span></P><P>&nbsp;</P> Mon, 03 Mar 2025 16:28:49 GMT https://community.splunk.com/t5/Splunk-Search/summarize-stats-by-month/m-p/740619#M240474 mvasquez21 2025-03-03T16:28:49Z