Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group by month if we have data from.

rajhemant26
New Member
‎10-25-2018 10:13 PM

Hello everyone.

Want to display the output only for the time which crosses 18 months (earliest time)

Tags (1)
0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎10-26-2018 02:01 AM

Looking at this some more I think the crux of the problem is grouping by month. As a starting point I've put together some SPL to show how to obtain the month from a timestamp then do a count by month.

The value generated in the _time will be a random time in the year 2018, as 1514764800 is epoch in seconds for the beginning of year 2018.

| makeresults count=100
| eval seconds_into_year = random() % ( 365 * 24 * 60 * 60 ) 
| eval epoch_start_of_2018 = 1514764800
| eval _time = epoch_start_of_2018 + seconds_into_year
| eval month_number = strftime(_time,"%m") 
| eval month_name = strftime(_time,"%b") 
| stats count by month_number, month_name

I'm hoping with this tip you should have enough to solve the question now.

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎10-26-2018 01:38 AM

Any chance of looking at the raw data, and/or wrapping the data into a makeresults SPL and/or simplify the data. It makes it a bit easier for people to pick the questions up and try different things with it.

The above query pulls back the last 4 hours worth of data but seems to pull data back from earlier in the year. Is there another time field in the data to account for this? So not using default _time field?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...