Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

summarize stats by month

mvasquez21
Path Finder
‎03-03-2025 07:17 AM

I have this search to see logins to our splunk environment:

  index = _audit user="*" action="login attempt" info=succeeded | stats count by user

mgmt is asking to see the same data but instead of a "count" column, they want a column for each month. I assume it will be a table of some sort but can't figure out the date summarizing.

Here is an example of the individual entry:

Audit:[timestamp=03-03-2025 09:10:52.577, user=xxxxxx, action=login attempt, info=succeeded reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" clientip=xxx.xxx.xxx.x" method=LDAP" session=17a169464fada764a1bac7310cac4c47]

columns should be:  user   monthA    monthB   monthc

with the counts under each month

Thanks!

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 07:45 AM

@mvasquez21 

Don't append makeresults in your query:-

Use this 

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 08:28 AM

that last one seems to undo the month summarizing

mvasquez21_0-1741019322688.png

 

0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:56 AM

one last thing. this is listing the months alphabetically. any way to do it chronologically?

mvasquez21_0-1741017367701.png

 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 08:09 AM

@mvasquez21 

Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable format, like a timestamp or a year-month string (e.g., "2024-01").

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%Y-%m-%d"), sort_month=strftime(_time, "%Y-%m-%d") 
| chart count over user by month 
| sort + sort_month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 08:10 AM

@mvasquez21 

Refer my output:-

kiran_panchavat_0-1741018212912.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:44 AM

when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search.

index = _audit user="*" action="login attempt" info=succeeded | makeresults count=20
| eval _time=relative_time(now(), "-".(random()%180)."d")
| eval user="user".tostring(1+random()%5)
| eval action="login attempt", info="succeeded"
| eval month=strftime(_time, "%b %Y")
| chart count over user by month

 

0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 07:45 AM

@mvasquez21 

Don't append makeresults in your query:-

Use this 

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:47 AM

perfect! you are a geniius

0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:41 AM

when using this one:

| makeresults count=20 
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval user="user".tostring(1+random()%5) 
| eval action="login attempt", info="succeeded" 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month

my results don't show the username:

mvasquez21_0-1741016486381.png

 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 07:42 AM

@mvasquez21 

makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query. 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 07:44 AM

@mvasquez21 

You have to use this query:

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 07:36 AM

@mvasquez21 

Try this 

index = _audit user="*" action="login attempt" info=succeeded
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

mvasquez21
Path Finder
‎03-03-2025 07:31 AM

could i ask of you to paste that so my bad typing doesn't mess it up? Thanks so much!

 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 07:34 AM

@mvasquez21 

| makeresults count=20 
| eval _time=relative_time(now(), "-".(random()%180)."d") 
| eval user="user".tostring(1+random()%5) 
| eval action="login attempt", info="succeeded" 
| eval month=strftime(_time, "%b %Y") 
| chart count over user by month
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-03-2025 07:26 AM

@mvasquez21 

kiran_panchavat_0-1741015558161.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...