My actual event looks like this:
"12345","App-A","Business-unit-A","1114052","30 Dec 2016 Static","static","2017-01-02 10:41:20+00:00","2017-01-02 10:39:51+00:00","147294802","106822","2016-12-14 10:19:58+00:00","3","117","Improper Output Neutralization for Logs","true","2","Open","Not Mitigated","1","appname-1.0-SNAPSHOT.war","filename.java","107"
The field used to create the event _time is the second UTC date, in this case 2017-01-02 10:39:51+00:00. though I'm not really sure that matters?
I also don't think your solution will work for months where the 'name' does not appear in any events. For example, using the data in my original question, I need App-A to be included in the calculation for May even though it does not have any events in May.
... View more