Hi,
I need help in group the data by month. I have find the total count of the hosts and objects for three months. now i want to display in table for three months separtly.
now the data is like below,
count 300
I want the results like
mar apr may
100 100 100
How to bring this data in search?
Try this
yoursearchhere
| eval Month=strftime(_time,"%m")
| chart count by Object Month
If you really want the month names, you can do this
yoursearchhere
| eval Month=strftime(_time,"%b")
| chart count by Object Month
If you just have one overall count
yoursearchhere
| eval Month=strftime(_time,"%b")
| stats count by Month
| transpose 3
The second solution with month names sorts the months and not in the "month-order" like Jan, Feb, Mar.
Is there a way to show month-wise in the order of Month like Jan 2016, Feb 2016, Mar 2016?
The below query display the results alphabetic months:
|eval Time=strftime(_time,"%b %Y") | stats count by Time
Result:
Apr 2016
Aug 2016
Feb 2016
Jan 2016
Jul 2016
Jun 2016
Mar 2016
May 2016
Thank you in advance!
hi nravichandran
did you get the solution for ur question.Even my req is to sort months which are
Mar 2015,Mar2016,Apr2016,Jan2016
yoursearch
|eval time1=strftime(_time,"%b-%y")
|eval time2=strftime(_time,"%Y%m")
|stats count by time2 time1
|fields - time2
This should work.
Ah - do this
yoursearchhere
| eval Month=strftime(_time,"%m %b %Y")
| chart count by Month Object
| eval Month=replace(Month, "\d+ (.*)","\1")
This puts the month number in front for the chart command and then removes it after the chart is created. For stats, it is even easier
yoursearchhere
| eval Month=strftime(_time,"%b %Y") | eval num=strftime(_time,"%m")
| stats count by num Month Object
| fields - num
will check and update you..thanks for your reply
Yes it's possible.
Just write your query and transpose.
Table month,count|transpose|fields - column|rename "row 1" as mar, .....|where NOT LIKE(mar,"m%%")