https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282890#M85444 <PRE><CODE>|rex "\d{4}\-(?&lt;month&gt;[^\-]+)" |rex "\-\-\-\-\-\-\s+(?&lt;count&gt;\d+)" |stats sum(count) by month </CODE></PRE> Fri, 18 Dec 2015 10:15:34 GMT jmallorquin 2015-12-18T10:15:34Z https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282889#M85443 <P>Hi, <BR /> Im trying to sum results by date:</P> <P>CreatedDate ------ count<BR /> 2015-12-2 ------ 1<BR /> 2015-12-1 ------ 4<BR /> 2015-11-30 ------ 5<BR /> 2015-11-29 ------ 2</P> <P>i want to count how much in each month, how can i do it?</P> <P>Thanks!</P> Fri, 18 Dec 2015 09:55:51 GMT https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282889#M85443 abovebeyond 2015-12-18T09:55:51Z https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282890#M85444 <PRE><CODE>|rex "\d{4}\-(?&lt;month&gt;[^\-]+)" |rex "\-\-\-\-\-\-\s+(?&lt;count&gt;\d+)" |stats sum(count) by month </CODE></PRE> Fri, 18 Dec 2015 10:15:34 GMT https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282890#M85444 jmallorquin 2015-12-18T10:15:34Z https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282891#M85445 <P>hmm i forgot to mention , this is a db connect query </P> <P>the results from the DB , its not parsed so date_month isn't working </P> <P>any other options ?</P> Fri, 18 Dec 2015 10:30:46 GMT https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282891#M85445 abovebeyond 2015-12-18T10:30:46Z https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282892#M85446 <P>try this</P> <PRE><CODE>| bucket span=1mon CreatedDate | stats sum(count) AS total_count by CreatedDate </CODE></PRE> Fri, 18 Dec 2015 13:41:20 GMT https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282892#M85446 dcarmack_splunk 2015-12-18T13:41:20Z https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282893#M85447 <P>If the field CreatedDate is not detected as a valid date, you can convert it.<BR /> see <A href="http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Convert">http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Convert</A></P> <PRE><CODE>&lt;mysearch&gt; | convert timeformat="%Y-%m-%d" ctime(CreatedDate) AS NewCreatedDate | bucket span=1month NewCreatedDate | stats sum(count) AS total_count by NewCreatedDate </CODE></PRE> Sat, 19 Dec 2015 17:13:52 GMT https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282893#M85447 yannK 2015-12-19T17:13:52Z https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282894#M85448 <P>Hi yannK , tried it without a success </P> <P>NewCreatedDate shows nothing...</P> <P>Any other suggestions ?</P> <P>Thanks !</P> Thu, 24 Dec 2015 10:28:55 GMT https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282894#M85448 abovebeyond 2015-12-24T10:28:55Z https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282895#M85449 <P>if count and CreateDate fields exit after you run your_DB_search try simplily:</P> <PRE><CODE>&lt;your_DB_search&gt;| timechart span=1months sum(count) by CreatedDate usenull=f useother=f </CODE></PRE> Tue, 29 Sep 2020 08:17:03 GMT https://community.splunk.com/t5/Splunk-Search/search-results-sum-count-by-date/m-p/282895#M85449 fdi01 2020-09-29T08:17:03Z