The timechart command that Ziegfried gave you will give you the best performance. Make sure you run this in the "Advanced Charting" view with the "Enable Preview" checkbox un-checked.
Really though, the best way to do this will only work going forward.
Create a saved search that runs at the end of each month and summarizes the following result:
| eventcount summarize=false | stats sum(count) as count
Give it a marker like "monthly_event_count". You can then use several techniques such as the 'delta', 'eval', 'timechart', or 'stats' command to create a monthly event count. Here is an example using delta:
index=summary marker="monthly_event_count" earliest=-3m@m | delta count as count
Thanks all! I appreciate the input and the prompt feedback. I will follow your advise.
* | timechart span=1mon count
or
* | stats count by date_month, date_year
Thanks ziegfried,
That works; however the query take forever to run. I was hoping that info is also stored somewhere in the metrics logs, hence quicker to query.