Solved: How to sum a field grouped by months using a date ...

handygecko · ‎02-10-2013

I'm new to splunk and I'm still struggling to grasp how it works. I uploaded data from a simple csv file. Data is as follows:

Column A       Column B
1/1/2012         9
2/1/2012         5
3/1/2012         17
1/17/2012       11

I would like to sum column B by Month as follows:

Jan                20
Feb               5
Mar              17

Ultimately, I'm looking to create a bar chart displaying this data by year. Any help is greatly appreciated.

Ayn · ‎02-10-2013

Assuming you have your timestamps working correctly:

... | timechart span=1mon sum(B)

View solution in original post

Ayn · ‎02-10-2013

Assuming you have your timestamps working correctly:

... | timechart span=1mon sum(B)

Ayn · ‎02-11-2013

Splunk shold do this by default. It'll use the first date it encounters in each event.

handygecko · ‎02-11-2013

You got me going on the right track. Splunk was failing to parse timestamps. I managed to index several files properly, however, a couple files require a more complex regular expression for the preface pattern. The events are structured as follows:

"Justin Lang:2465-1-Lang","164","10/4/2012","10/25/2012",,4345.00,""

Do you happen to know how to write a regular expression that would allow splunk to parse the first date in the event: "10/4/2012"? I do not know regex very well. I tried "",""," Thanks for your help!

How to sum a field grouped by months using a date field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!