Hi Vasanthmss
I have tried the sql that you have provided, however it stilll not able to return the right filename...any ideas ?
do i need to get an earliest time as the filename from below ?
Thanks
sourcetype=csms_log date_month=December ID begin.action | join type=outer ID [ search sourcetype=tony ID detail.identity| stats values(detail_identity) as mcn by ID|fields ID mcn] | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | table time ID mcn begin_action _raw | outputcsv [ | stats count | eval filename=strftime(_time, "%Y%m") | return $filename]
Henry
... View more