Splunk Search

search results sum count by date?

abovebeyond
Communicator

Hi,
Im trying to sum results by date:

CreatedDate ------ count
2015-12-2 ------ 1
2015-12-1 ------ 4
2015-11-30 ------ 5
2015-11-29 ------ 2

i want to count how much in each month, how can i do it?

Thanks!

Tags (2)
0 Karma

fdi01
Motivator

if count and CreateDate fields exit after you run your_DB_search try simplily:

<your_DB_search>| timechart span=1months sum(count) by CreatedDate usenull=f useother=f
0 Karma

yannK
Splunk Employee
Splunk Employee

If the field CreatedDate is not detected as a valid date, you can convert it.
see http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Convert

<mysearch>
| convert timeformat="%Y-%m-%d" ctime(CreatedDate) AS NewCreatedDate
| bucket span=1month NewCreatedDate
 | stats sum(count) AS total_count by NewCreatedDate
0 Karma

abovebeyond
Communicator

Hi yannK , tried it without a success

NewCreatedDate shows nothing...

Any other suggestions ?

Thanks !

0 Karma

dcarmack_splunk
Splunk Employee
Splunk Employee

try this

| bucket span=1mon CreatedDate
| stats sum(count) AS total_count by CreatedDate
0 Karma

abovebeyond
Communicator

hmm i forgot to mention , this is a db connect query

the results from the DB , its not parsed so date_month isn't working

any other options ?

0 Karma

jmallorquin
Builder
|rex "\d{4}\-(?<month>[^\-]+)"
|rex "\-\-\-\-\-\-\s+(?<count>\d+)"
|stats sum(count) by month
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...