This is a stupid question on many levels. You should NEVER use the "date_*" fields for anything because they are pre-TZ-normalized values and do not take into account your user's personal TZ value and so almost always will be incorrect. You should instead calculate your own "date_*" values, if you even need them (which in this case, you do not). The question is phrased EXTREMELY poorly and is very confusing to understand. I spent 5 times as much time reading and re-reading the question as I did coming up with the answer. I suspect that part of the answer is that you should know (and explain in your answer) that by default, only the last 30 days are stored in the internal index data so this question is even dumber because you will never have a complete month in your data. In any case, if I understand it correctly, here is one solution: |tstats count AS Count WHERE index="_internal" AND date_month="*" earliest=0 latest=now BY host _time span=1d | rename _time AS Month, host AS Host | eval _mon=strftime(Month, "%Y%B") | streamstats current=f last(_mon) AS prevmon BY Host | eval neweventhere = if(_mon!=prevmon, mvappend("FIXME","KEEPME"), "NO") | fields - prevmon | mvexpand neweventhere | rename neweventhere AS _neweventhere | eval Month = if(_neweventhere="FIXME", (Month - 1), Month) | eval _mon=strftime(Month, "%Y%B") | eventstats sum(Count) AS _TotalCount BY _mon Host | eval Count = if(_neweventhere="FIXME", _TotalCount, Count) | fieldformat Month = if(_neweventhere="FIXME", strftime(Month, "%B"), strftime(Month, "%B %d")) | table Month Host Count _*
... View more