Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hw to group the data by month

Paul_tcs
Explorer
‎07-09-2013 10:25 AM

Hi,

I need help in group the data by month. I have find the total count of the hosts and objects for three months. now i want to display in table for three months separtly.

now the data is like below,

count 300

I want the results like

mar apr may
100 100 100

How to bring this data in search?

Tags (1)
Reply

lguinn2
Legend
‎07-09-2013 11:49 AM

Try this

yoursearchhere
| eval Month=strftime(_time,"%m")
| chart count by Object Month

If you really want the month names, you can do this

yoursearchhere
| eval Month=strftime(_time,"%b")
| chart count by Object Month

If you just have one overall count

yoursearchhere
| eval Month=strftime(_time,"%b")
| stats count by Month
| transpose 3
Reply

nravichandran
Communicator
‎08-26-2016 07:35 AM

The second solution with month names sorts the months and not in the "month-order" like Jan, Feb, Mar.
Is there a way to show month-wise in the order of Month like Jan 2016, Feb 2016, Mar 2016?
The below query display the results alphabetic months:

|eval Time=strftime(_time,"%b %Y") | stats count by Time

Result:
Apr 2016

Aug 2016
Feb 2016
Jan 2016
Jul 2016
Jun 2016
Mar 2016
May 2016

Thank you in advance!

Reply

abhishekroy168
Path Finder
‎03-05-2018 11:14 PM

hi nravichandran
did you get the solution for ur question.Even my req is to sort months which are
Mar 2015,Mar2016,Apr2016,Jan2016

0 Karma
Reply

nikhiltyagi
Explorer
‎02-11-2019 04:40 PM

yoursearch
|eval time1=strftime(_time,"%b-%y")
|eval time2=strftime(_time,"%Y%m")
|stats count by time2 time1
|fields - time2

This should work.

0 Karma
Reply

lguinn2
Legend
‎06-26-2017 05:26 PM

Ah - do this

yoursearchhere
 | eval Month=strftime(_time,"%m %b %Y")
 | chart count by Month Object
 | eval Month=replace(Month, "\d+ (.*)","\1")

This puts the month number in front for the chart command and then removes it after the chart is created. For stats, it is even easier

yoursearchhere
 | eval Month=strftime(_time,"%b %Y") | eval num=strftime(_time,"%m")
 | stats count by num Month Object
 | fields - num
0 Karma
Reply

Paul_tcs
Explorer
‎07-09-2013 11:02 AM

will check and update you..thanks for your reply

0 Karma
Reply

linu1988
Champion
‎07-09-2013 10:51 AM

Yes it's possible.

Just write your query and transpose.

Table month,count|transpose|fields - column|rename "row 1" as mar, .....|where NOT LIKE(mar,"m%%")

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...