@livehybrid ,

I tried the same query as you suggested, not sure why it is giving me data only for May month 😞

| tstats summariesonly=false dc(Message_Log.msg.header.message-id) as Blocked from datamodel=pps_ondemand where (Message_Log.filter.routeDirection="inbound") AND (Message_Log.filter.disposition="discard" OR Message_Log.filter.disposition="reject" OR Message_Log.filter.quarantine.folder="Spam*") earliest=-6mon@mon latest=now by _time
| eval Source="Email"
| eval MonthNum=strftime(_time, "%Y-%m"), MonthName=strftime(_time, "%b")
| stats sum(Blocked) as Blocked by Source MonthNum MonthName
| xyseries Source MonthName Blocked
| addinfo
| table Source [| makeresults count=60
  | streamstats count as month_offset
 | addinfo
  | eval start_epoch=info_min_time, end_epoch=info_max_time
  | eval start_month=strftime(start_epoch, "%Y-%m-01")
  | eval month_epoch = relative_time(strptime(start_month, "%Y-%m-%d"), "+" . (month_offset-1) . "mon")
  | where month_epoch <= end_epoch
  | eval month=strftime(month_epoch, "%b")
  | stats list(month) as search
]

@livehybrid It worked like magic! 🙂 Thank you so much.

Also, if you could explain the logic behind it, I would be grateful 🙂

Absolutely @mchoudhary 

So, what we are doing here is using a subsearch within the "table" command to generate the list of months you are interested in. Not many people realise but you can use a subsearch in a lot more places than as part of an original search, e.g. to derive a variable for timechart span, or in our case to list some fields for your table command.

Regarding the subsearch, this is what it is doing:

1. | makeresults count=7

• Generates 7 dummy events (rows) to work with in the pipeline. (6 months ago + current month)

2. | streamstats count as month_offset

• For each of the 7 rows, assigns a sequential number in month_offset (from 1 to 7).
• This will be used to generate one value per month, going backwards in time.

3. | eval start_epoch=relative_time(now(),"-6mon@mon"), end_epoch=now()

• start_epoch calculates the epoch time at the start of the month, six months ago.
  • -6mon@mon: Go back 6 months, then snap to the beginning of the month.
• end_epoch is the current epoch time.
• This sets the time range: from the start of 6 months ago until now.

4. | eval start_month=strftime(start_epoch, "%Y-%m-01")

• Formats start_epoch into a string representing the first day of the starting month (e.g., "2024-11-01").

5. | eval month_epoch = relative_time(strptime(start_month, "%Y-%m-%d"), "+" . (month_offset-1) . "mon")

• For each row, this creates a timestamp for a month in the range.
• Increments from start_month by (month_offset - 1) months.
  • month_offset runs 1 to 7.
  • So, months generated will be: start_month + 0, +1, +2, ..., +6 months.
• This way, you get the start-of-month epoch for each month in the range.

6. | where month_epoch <= end_epoch

• Filters out any months whose starting epoch is greater than now (in case the 7 generated months go slightly into the future).

7. | eval month=strftime(month_epoch, "%b")

• Converts month_epoch into a "short month name" format (e.g., "Jan", "Feb", etc).

8. | stats list(month) as search

• Aggregates the results into a single row, with the months as a list, titled "search".

@livehybrid  The issue is in my query I am fetching data for last 6 months. so If someone run the query till date it will give results from December till now and also there is 0 count for some months, so it will look blank. something like this if I hardcode the months