I tried ... | eval _time = strftime(_time,"%Y-%m") at the end of my search even though its in the YYYY-MM format already in the dashboard.

But when I email the pdf, in the pdf the table disapperas and I get
year=1 is before 1900; the datetime strftime() methods require year >= 1900

I am not sure what this means?

my time range is a bit different but this just gives me the 31 day values of january which I then timechart span=mon sum(Count) to get the monthly value

  <earliest>-1mon@mon</earliest>
  <latest>@mon+1d</latest>

also how do i try | convert timeformat="%m/%d/%Y"

sry, the command was not completed, you will need:

| convert timeformat="%m/%d/%Y" ctime(_time) as _time

but i think will not gonna work.

sometimes you will need to create a new variable to use instead of _time

try
| eval date = strftime(_time,"%Y-%m")

to show correctly, you can use:

| sort _time
| table date Count

tks

1/
| convert timeformat="%m/%d/%Y" ctime(_time) as _time did not work
You get this year=1 is before 1900; the datetime strftime() methods require year >= 1900 instead of the table. Which I dont understand. I guess that is just the way splunk is regarding pdf scheduling.

and

2/
| eval date = strftime(_time,"%Y-%m") | sort _time | table date Count did work.
Basically the _time column is not liked in the tables in your dashboard when you try and pdf schedule it. So you basically have to remove the _time column and call it something else.

note: I thought you could just rename _time as date but this will convert the date into a number, so you will then have to reformat this, which is just another way of doing the same as 2 above.

nice, i'm glad it works.

The _time real value is aways something like 1526324562.234, so somethime you will need to create a new variable.

In my country the date default is dd/mm/YYYY, so i aways need to re-adjust the _time.