Hi Sundareshr
I am using this logic currently but when we check for total active entities and compare with this query there is a difference of two or three entites.
eval Date = strftime ("_time","%Y/%m")| stats last (_time) as  _time last (status) as status by entityId l, Date|eventstats  first (Date) as Date1by entityId|streamstats first (status)  as statusnew by entityId window=2 | eval status1 = case (  (Date1=Date AND status=A),1,(Date1!=Date AND status1!=statusnew AND status=A),1,(Date!=Date AND status1!=statusnew),-1,(Date1!=Date AND status=statusnew),0,(Date1=Date AND status=I) OR (Date1=Date AND status=P) ,0, (Date1!=Date AND status=P) OR ( Date1!=Date AND status=I) ,0))|timechart span=mon sum(status1) as Active|accum Active

Hi Sundareshr

We have to show monthly trend, so one entity may be active in one month and might get inactive next month due to inactivity.

Active Entity Changes by Month is the actual requirement, if an entity is was active in 03/16 and it became inactive in 04/16 and then again in the same month it got active so our chart should display the data only for Final status as active in the month of april. Similarly, other entity has a status in the below fashion

05/16 E2 P
05/16 E2 A
06/16 E2 I

Here it should show Inactive entity changes by month in the month of june and in active it should not display in that month.

Try this

... | eval date=strptime(date, "%d-%m-%Y") | sort - date | eval date=strftime(date, "%m-%Y") | dedup date | chart count over date by status

also we need to show a cumulative result at the end.

For cumulative results, add accum count to the end