How to dynamically pass the current and last month...

avni26 · ‎07-21-2020

Hi,

I have field as Jan , Feb ,Mar .... Dec with values for each month and I want to take sum of current month and last month.
I was truing to first check the current month and last month using eval like below and this eval gives me the current month name(Jul) , last month as Jun

eval curr_mon=strftime(now(), "%b")

eval last_mon= strftime(relative_time(now(),"-mon"),"%b")

Now I have field names
Name id            Jan Feb Mar Jul Jun Aug
xyz      123A         10    20 20    25   30   15
ABC    145B          20    15 30   25   30    20

Want to take sum of current month and last month field with stats, I tried like below but got no results;

stats sum('curr_mon') as current_total sum('last_mon') as last_total

I want this search to automatically show the current month's sum, and not using a static value in the stats sum expression.

Please suggest.

to4kawa · ‎07-21-2020

| makeresults
| eval _raw="Name,id,Jan,Feb,Mar,Jul,Jun,Aug
xyz,123A,10,20,20,25,30,15
ABC,145B,20,15,30,25,30,20"
| multikv forceheader=1
| table Name,id,Jan,Feb,Mar,Jul,Jun,Aug
| rename COMMENT as "this is sample"
| rename Name as _Name , id as _id
| stats sum(*) as *
| eval tmp=1
| untable tmp month sums
| eval cur_mon=strftime(now(),"%b") ,last_mon=strftime(relative_time(now(),"-1mon"),"%b")
| eval current_total=if(month=cur_mon,sums,NULL), last_total=if(month=last_mon,sums,NULL)
| stats values(current_total) as current_total values(last_total) as last_total

How to dynamically pass the current and last month in search?

eval

fields

stats

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?