topic Re: How to report a busiest/peak hour for each day for the last 30 days? in Splunk Search

How to report a busiest/peak hour for each day for the last 30 days?

Shashank_87 — Wed, 30 Sep 2020 03:00:55 GMT

Hi, I am trying to find the busiest time of the day for last 30 days. What i need is a table like this -

Day PeakhourofTheDay count

I have this query but it's not showing the peak hour in the table. Also i am not sure if it's correct. Please any help is appreciated.

index=web_env sourcetype=ssl_access_combined
| timechart span=1h count
| timechart span=1d max(count)

Re: How to report a busiest/peak hour for each day for the last 30 days?

to4kawa — Tue, 19 Nov 2019 12:19:53 GMT

| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-30d@d"), relative_time(_time,"@d"))
| makecontinuous span=1m
| eval count = random() % 2
| eval value = if(count==0,"ok",NULL)
| table _time value
| rename COMMENT AS "this is sample data")
| timechart span=1h count(value) as count
| eval days = strftime(_time, "%e")
| eventstats max(count) as max_count by days
| chart values(eval(if(max_count==count,_time,NULL))) as max_date values(max_count) as max_count by days
| fieldformat max_date=strftime(max_date,"%F %H:%M")
| table max_date max_count

The output values is a little different, but it would be okay.

Re: How to report a busiest/peak hour for each day for the last 30 days?

Shashank_87 — Tue, 19 Nov 2019 12:26:26 GMT

@to4kawa thanks for the response but this is not what I am looking for and moreover this query is a bit complex and not very optimized if i have to run for a longer period.
I have shared the working query but it's just that it is not showing the peak hour along with the day. I need something like this in atabular format -

Day PeakhourofTheDay PeakHourCount

Re: How to report a busiest/peak hour for each day for the last 30 days?

to4kawa — Tue, 19 Nov 2019 12:57:40 GMT

try rename and eval.