Solved: Extract count of the last day for each month

marco_massari11 · ‎11-25-2020

Hi,

I have a query

index=network_appliance Hostname=* (sourcetype="old" OR sourcetype="new") Interface=* field=......................

and I want to display in a column chart the count of Interfaces of the last day for each month. So the result should be something like this:

October 1000

November 1100

So 1000 and 1100 should be the count of interfaces of 31/October and 25/November (last day of the current month).

Thank you in advance!

to4kawa · ‎11-25-2020

try
| eventstats max(date_mday) as last_day by date_month
| eventstats count(eval(last_day=date_mday)) as lastday_count by date_month Interface

View solution in original post

to4kawa · ‎11-25-2020

try
| eventstats max(date_mday) as last_day by date_month
| eventstats count(eval(last_day=date_mday)) as lastday_count by date_month Interface

marco_massari11 · ‎11-25-2020

I think it's enough to remove Interface in the by and that's it!

marco_massari11 · ‎11-25-2020

@to4kawa I think in the second line you means stats and not eventstats. Anyway with stats command I have the month, the interface name and the count for each interface. I don't need the interface name but the total Interfaces count.

Extract count of the last day for each month

chart

other

panel

timechart

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk