Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Hw to group the data by month

Paul_tcs
Explorer
‎07-09-2013 10:25 AM

Hi,

I need help in group the data by month. I have find the total count of the hosts and objects for three months. now i want to display in table for three months separtly.

now the data is like below,

count 300

I want the results like

mar apr may
100 100 100

How to bring this data in search?

Tags (1)
Reply

lguinn2
Legend
‎07-09-2013 11:49 AM

Try this

yoursearchhere
| eval Month=strftime(_time,"%m")
| chart count by Object Month

If you really want the month names, you can do this

yoursearchhere
| eval Month=strftime(_time,"%b")
| chart count by Object Month

If you just have one overall count

yoursearchhere
| eval Month=strftime(_time,"%b")
| stats count by Month
| transpose 3
Reply

nravichandran
Communicator
‎08-26-2016 07:35 AM

The second solution with month names sorts the months and not in the "month-order" like Jan, Feb, Mar.
Is there a way to show month-wise in the order of Month like Jan 2016, Feb 2016, Mar 2016?
The below query display the results alphabetic months:

|eval Time=strftime(_time,"%b %Y") | stats count by Time

Result:
Apr 2016

Aug 2016
Feb 2016
Jan 2016
Jul 2016
Jun 2016
Mar 2016
May 2016

Thank you in advance!

Reply

abhishekroy168
Path Finder
‎03-05-2018 11:14 PM

hi nravichandran
did you get the solution for ur question.Even my req is to sort months which are
Mar 2015,Mar2016,Apr2016,Jan2016

0 Karma
Reply

nikhiltyagi
Explorer
‎02-11-2019 04:40 PM

yoursearch
|eval time1=strftime(_time,"%b-%y")
|eval time2=strftime(_time,"%Y%m")
|stats count by time2 time1
|fields - time2

This should work.

0 Karma
Reply

lguinn2
Legend
‎06-26-2017 05:26 PM

Ah - do this

yoursearchhere
 | eval Month=strftime(_time,"%m %b %Y")
 | chart count by Month Object
 | eval Month=replace(Month, "\d+ (.*)","\1")

This puts the month number in front for the chart command and then removes it after the chart is created. For stats, it is even easier

yoursearchhere
 | eval Month=strftime(_time,"%b %Y") | eval num=strftime(_time,"%m")
 | stats count by num Month Object
 | fields - num
0 Karma
Reply

Paul_tcs
Explorer
‎07-09-2013 11:02 AM

will check and update you..thanks for your reply

0 Karma
Reply

linu1988
Champion
‎07-09-2013 10:51 AM

Yes it's possible.

Just write your query and transpose.

Table month,count|transpose|fields - column|rename "row 1" as mar, .....|where NOT LIKE(mar,"m%%")

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...