I have a search created, and want to get a count of the events returned by date. I know the date and time is stored in time, but I dont want to Count By _time, because I only care about the date, not the time. Is there a way to get the date out of _time (I tried to build a rex, but it didnt work..)
I also tried to do a count based on date_mday, but when adding that I got no results returned (nor did I get any results when I just added something like date_mday > 1 to the search string) - seems like the date fields are not populated for me (in this case, these are events from the Windows System log.)
Any suggestions on how to count by date?
thankx.
Convert _time to a date in the needed format.
* | convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats count by date
see http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Convert
Convert _time to a date in the needed format.
* | convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats count by date
see http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Convert
"%F" is equivalent to "%Y-%m-%d"
Thank you!!!
Thanks a lot