Okay @mchoudhary - this might look a little bizarre but stay with me....you could use the following table output, this uses a search to determine the months returned based on the earliest/latest set ...
See more...
Okay @mchoudhary - this might look a little bizarre but stay with me....you could use the following table output, this uses a search to determine the months returned based on the earliest/latest set by the time picker and lists them out as per the screenshot below. Would this work for you? | table Source [| makeresults count=12
| streamstats count as month_offset
| addinfo
| eval start_epoch=info_min_time, end_epoch=info_max_time
| eval start_month=strftime(start_epoch, "%Y-%m-01")
| eval month_epoch = relative_time(strptime(start_month, "%Y-%m-%d"), "+" . (month_offset-1) . "mon")
| where month_epoch <= end_epoch
| eval month=strftime(month_epoch, "%b")
| stats list(month) as search
] |tstats count where index=main by _time span=1d
| eval MonthNum=strftime(_time, "%Y-%m"), MonthName=strftime(_time, "%b")
| eval Source="Email"
| eval Blocked=count
| stats sum(Blocked) as Blocked by Source MonthNum MonthName
| xyseries Source MonthName Blocked
| addinfo
| table Source [| makeresults count=60
| streamstats count as month_offset
| addinfo
| eval start_epoch=info_min_time, end_epoch=info_max_time
| eval start_month=strftime(start_epoch, "%Y-%m-01")
| eval month_epoch = relative_time(strptime(start_month, "%Y-%m-%d"), "+" . (month_offset-1) . "mon")
| where month_epoch <= end_epoch
| eval month=strftime(month_epoch, "%b")
| stats list(month) as search
] Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing