date_month issue

"source="jun_jan.csv" | stats count by date_month" lists all months, but if I want to include another field like status ""source="jun_jan.csv" | stats count by date_month, STATUS" It lists only two months. Plese suggest how do we get the other field

source="jun_jan.csv" | stats count by date_mont date_month count
1 august 2776 2 december 4602 3 january 5228 4 july 3533 5 november 5001 6 october 3357 7 september 4275

source="jun_jan.csv" | stats count by date_month, STATUS date_month STATUS count
1 august FAILED 262 2 august PASSED 2046 3 august WARNING_FAILED_STEP 23 4 august WARNING_FILTER 14 5 july FAILED 433 6 july NONE 1 7 july PASSED 3002 8 july WARNING_FAILED_STEP 76 9 july WARNING_FILTER 21

asked 22 Feb, 07:57

iamniks
11
accept rate: 0%

edited 26 Feb, 20:32

lguinn ♦
3.1k●2●16

One Answer:

oldest newest most voted

Look at the events that are in months, not displayed in the second result and see if the STATUS field is present there. The search ... | stats count by date_month,STATUS will only show the result counts for events with both fields present.

link

answered 22 Feb, 08:13

ziegfried ♦
7.1k●1●3●15
accept rate: 53%

For all the events there is a status as well as process field,

(22 Feb, 16:59) iamniks

is there a date_month field too for all of them?

(27 Feb, 01:00) ziegfried ♦

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

field ×166
stats ×151
date_month ×2

Asked: 22 Feb, 07:57

Seen: 231 times

Last updated: 27 Feb, 01:00

date_month issue

Follow this question

Splunk Resources

Related questions