- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Hw to group the data by month
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hw to group the data by month
Hi,
I need help in group the data by month. I have find the total count of the hosts and objects for three months. now i want to display in table for three months separtly.
now the data is like below,
count 300
I want the results like
mar apr may
100 100 100
How to bring this data in search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
yoursearchhere
| eval Month=strftime(_time,"%m")
| chart count by Object Month
If you really want the month names, you can do this
yoursearchhere
| eval Month=strftime(_time,"%b")
| chart count by Object Month
If you just have one overall count
yoursearchhere
| eval Month=strftime(_time,"%b")
| stats count by Month
| transpose 3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The second solution with month names sorts the months and not in the "month-order" like Jan, Feb, Mar.
Is there a way to show month-wise in the order of Month like Jan 2016, Feb 2016, Mar 2016?
The below query display the results alphabetic months:
|eval Time=strftime(_time,"%b %Y") | stats count by Time
Result:
Apr 2016
Aug 2016
Feb 2016
Jan 2016
Jul 2016
Jun 2016
Mar 2016
May 2016
Thank you in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi nravichandran
did you get the solution for ur question.Even my req is to sort months which are
Mar 2015,Mar2016,Apr2016,Jan2016
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yoursearch
|eval time1=strftime(_time,"%b-%y")
|eval time2=strftime(_time,"%Y%m")
|stats count by time2 time1
|fields - time2
This should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah - do this
yoursearchhere
| eval Month=strftime(_time,"%m %b %Y")
| chart count by Month Object
| eval Month=replace(Month, "\d+ (.*)","\1")
This puts the month number in front for the chart command and then removes it after the chart is created. For stats, it is even easier
yoursearchhere
| eval Month=strftime(_time,"%b %Y") | eval num=strftime(_time,"%m")
| stats count by num Month Object
| fields - num
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
will check and update you..thanks for your reply
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it's possible.
Just write your query and transpose.
Table month,count|transpose|fields - column|rename "row 1" as mar, .....|where NOT LIKE(mar,"m%%")
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
