Solved: I have an event contains join_date, id as fields...

nagarjuna280 · ‎04-30-2017

I have an event contains join_date, id as fields , want to count of "id " by month ,

the event index time and start_date are different. all events are indexed at a time

I tried

|eval _time=strftime(strptime(join_date,"%d-%b-%y %H:%M:%S"), "%Y-%m-%d %H:%M:%S") |timechart span=1d count(id)

not showing results

kmorris_splunk · ‎05-01-2017

You could try something like this:

YOUR BASE SEARCH
| eval joinmonth=strftime(strptime(join_date,"%m/%d/%Y"),"%B") 
| stats count(id) by joinmonth

View solution in original post

kmorris_splunk · ‎05-01-2017

You could try something like this:

YOUR BASE SEARCH
| eval joinmonth=strftime(strptime(join_date,"%m/%d/%Y"),"%B") 
| stats count(id) by joinmonth

adonio · ‎05-01-2017

hello nagarjuna280,
can you elaborate a little, or attach a sample data?
it is not clear as you mention the event contains join_date and in the second sentence you mention start_date
in any case, if you want the count of id by month, use span of 1mon
also, maybe you can extract the time while on boarding the data

I have an event contains join_date, id as fields , want to count of "id " by month ,

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)