I have an event contains join_date, id as fields , want to count of "id " by month ,
the event index time and start_date are different. all events are indexed at a time
I tried
|eval _time=strftime(strptime(join_date,"%d-%b-%y %H:%M:%S"), "%Y-%m-%d %H:%M:%S") |timechart span=1d count(id)
not showing results
You could try something like this:
YOUR BASE SEARCH
| eval joinmonth=strftime(strptime(join_date,"%m/%d/%Y"),"%B")
| stats count(id) by joinmonth
You could try something like this:
YOUR BASE SEARCH
| eval joinmonth=strftime(strptime(join_date,"%m/%d/%Y"),"%B")
| stats count(id) by joinmonth
hello nagarjuna280,
can you elaborate a little, or attach a sample data?
it is not clear as you mention the event contains join_date and in the second sentence you mention start_date
in any case, if you want the count of id by month, use span of 1mon
also, maybe you can extract the time while on boarding the data