https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304183#M2728 <P>Are you trying to make a search you can schedule to run once every hour and alert if the total count of events in that hour for a given host exceeds a threshold? Or do you want to make a table of host many events per host were seen each hour and then only retain the rows where the count exceeded a threshold? It would help a lot to know your end goal.</P> Wed, 04 Apr 2018 21:00:17 GMT elliotproebstel 2018-04-04T21:00:17Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304182#M2727 <P>Hello,</P> <P>I believe this does not give me what I want but it does at the same time. After events are indexed I'm attempting to aggregate per host per hour for specific windows events.</P> <P>More specifically I don't see to see that a host isn't able to log 17 times within 1 hour. One alert during that period of time is what I'm looking for.</P> <PRE><CODE>index=wineventlog EventCode=521 OR EventCode=4617 |bucket _time span=1h | chart count by host </CODE></PRE> <P>This shows me a total of the alerts that took place within an hour but doesn't necessarily aggregate if I wanted to make an alert for it unless I'm mistaken.</P> <P>Regards</P> Wed, 04 Apr 2018 20:26:24 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304182#M2727 Hegemon76 2018-04-04T20:26:24Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304183#M2728 <P>Are you trying to make a search you can schedule to run once every hour and alert if the total count of events in that hour for a given host exceeds a threshold? Or do you want to make a table of host many events per host were seen each hour and then only retain the rows where the count exceeded a threshold? It would help a lot to know your end goal.</P> Wed, 04 Apr 2018 21:00:17 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304183#M2728 elliotproebstel 2018-04-04T21:00:17Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304184#M2729 <P>In the meantime, you could try the following searches to see if they are showing you what you want:</P> <PRE><CODE>index=wineventlog EventCode=521 OR EventCode=4617 | bin span=1h _time | stats count by _time, host </CODE></PRE> <P>or</P> <PRE><CODE>index=wineventlog EventCode=521 OR EventCode=4617 | bin span=1h _time | chart count by _time, host </CODE></PRE> Wed, 04 Apr 2018 21:01:56 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304184#M2729 elliotproebstel 2018-04-04T21:01:56Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304185#M2730 <P>End goal is instead of having 17 alerts on the same host for the same event (in this case, unable to log) I just want 1 alert for all 17 events based on :insert host:.</P> <P>So for instance.</P> <P>If host x,y and z fire this alert I would want three alerts because the host is different and not because the alert simply fired again.</P> <P>There is no threshold more like an aggregation of the events over the course of an hour so that only 1 alert fires.</P> <P>Sorry for not being more specific.</P> Wed, 04 Apr 2018 21:04:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304185#M2730 Hegemon76 2018-04-04T21:04:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304186#M2731 <P>Try something like</P> <PRE><CODE>index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h count by host </CODE></PRE> <P>or</P> <PRE><CODE>index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h sum(eval(EventCode=521)) as 521 sum(eval(EventCode=4617)) as 4617 by host </CODE></PRE> Thu, 05 Apr 2018 00:21:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-aggregate-events-per-host-per-hour/m-p/304186#M2731 davpx 2018-04-05T00:21:20Z