Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

summarize stats by month

mvasquez21
Path Finder
‎03-03-2025 07:17 AM

I have this search to see logins to our splunk environment:

  index = _audit user="*" action="login attempt" info=succeeded | stats count by user

mgmt is asking to see the same data but instead of a "count" column, they want a column for each month. I assume it will be a table of some sort but can't figure out the date summarizing.

Here is an example of the individual entry:

Audit:[timestamp=03-03-2025 09:10:52.577, user=xxxxxx, action=login attempt, info=succeeded reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" clientip=xxx.xxx.xxx.x" method=LDAP" session=17a169464fada764a1bac7310cac4c47]

columns should be:  user   monthA    monthB   monthc

with the counts under each month

Thanks!

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎03-03-2025 07:45 AM

@mvasquez21 

Don't append makeresults in your query:-

Use this 

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 08:28 AM

that last one seems to undo the month summarizing

mvasquez21_0-1741019322688.png

 

0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:56 AM

one last thing. this is listing the months alphabetically. any way to do it chronologically?

mvasquez21_0-1741017367701.png

 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-03-2025 08:09 AM

@mvasquez21 

Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable format, like a timestamp or a year-month string (e.g., "2024-01").

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%Y-%m-%d"), sort_month=strftime(_time, "%Y-%m-%d") 
| chart count over user by month 
| sort + sort_month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-03-2025 08:10 AM

@mvasquez21 

Refer my output:-

kiran_panchavat_0-1741018212912.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:44 AM

when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search.

index = _audit user="*" action="login attempt" info=succeeded | makeresults count=20
| eval _time=relative_time(now(), "-".(random()%180)."d")
| eval user="user".tostring(1+random()%5)
| eval action="login attempt", info="succeeded"
| eval month=strftime(_time, "%b %Y")
| chart count over user by month

 

0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎03-03-2025 07:45 AM

@mvasquez21 

Don't append makeresults in your query:-

Use this 

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:47 AM

perfect! you are a geniius

0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:41 AM

when using this one:

| makeresults count=20 
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval user="user".tostring(1+random()%5) 
| eval action="login attempt", info="succeeded" 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month

my results don't show the username:

mvasquez21_0-1741016486381.png

 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-03-2025 07:42 AM

@mvasquez21 

makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query. 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-03-2025 07:44 AM

@mvasquez21 

You have to use this query:

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-03-2025 07:36 AM

@mvasquez21 

Try this 

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:31 AM

could i ask of you to paste that so my bad typing doesn't mess it up? Thanks so much!

 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-03-2025 07:34 AM

@mvasquez21 

| makeresults count=20 
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval user="user".tostring(1+random()%5) 
| eval action="login attempt", info="succeeded" 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-03-2025 07:26 AM

@mvasquez21 

kiran_panchavat_0-1741015558161.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...