search results sum count by date?

abovebeyond · ‎12-18-2015

Hi,
Im trying to sum results by date:

CreatedDate ------ count
2015-12-2 ------ 1
2015-12-1 ------ 4
2015-11-30 ------ 5
2015-11-29 ------ 2

i want to count how much in each month, how can i do it?

Thanks!

fdi01 · ‎12-24-2015

if count and CreateDate fields exit after you run your_DB_search try simplily:

<your_DB_search>| timechart span=1months sum(count) by CreatedDate usenull=f useother=f

yannK · ‎12-19-2015

If the field CreatedDate is not detected as a valid date, you can convert it.
see http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Convert

<mysearch>
| convert timeformat="%Y-%m-%d" ctime(CreatedDate) AS NewCreatedDate
| bucket span=1month NewCreatedDate
 | stats sum(count) AS total_count by NewCreatedDate

abovebeyond · ‎12-24-2015

Hi yannK , tried it without a success

NewCreatedDate shows nothing...

Any other suggestions ?

Thanks !

dcarmack_splunk · ‎12-18-2015

try this

| bucket span=1mon CreatedDate
| stats sum(count) AS total_count by CreatedDate

abovebeyond · ‎12-18-2015

hmm i forgot to mention , this is a db connect query

the results from the DB , its not parsed so date_month isn't working

any other options ?

jmallorquin · ‎12-18-2015

|rex "\d{4}\-(?<month>[^\-]+)"
|rex "\-\-\-\-\-\-\s+(?<count>\d+)"
|stats sum(count) by month

search results sum count by date?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor