Hi Splunkers, in our environment we have seen that we have some event peaks every day between certain hours, which are 03:00 - 04:00 AM.
Now, we have to identify which source are responsible for those peaks.
The search we must build has to perform this: tell us, for every day of a certain time period (for example, a week), at the same hour (03:00 - 04:00 AM), total count of events for every sources.
I know that, with this search:
index=*
| chart count over index by sourcetype
I'm able to show a column chart that spawn me the total count of events for every indexes and, for them, I have a picture of involved sourcetypes. But how to tell to search "show me for every day this count in time range 03:00 - 04:00" AM?
Hi @SplunkExplorer,
if you want to analyze only peaks in a certain pèeriod (e.g. 3.00-4.00) you could run something like this:
index=* date_hour IN (3,4) earliest=-7d@d latest=@d
| timechart count by sourcetype
If you want also index values, you have to use:
index=* date_hour IN (3,4) earliest=-7d@d latest=@d
| bin span=24h -time
| stats values(index) AS index count by _time sourcetype
Ciao.
Giuseppe
Hi @SplunkExplorer,
if you want to analyze only peaks in a certain pèeriod (e.g. 3.00-4.00) you could run something like this:
index=* date_hour IN (3,4) earliest=-7d@d latest=@d
| timechart count by sourcetype
If you want also index values, you have to use:
index=* date_hour IN (3,4) earliest=-7d@d latest=@d
| bin span=24h -time
| stats values(index) AS index count by _time sourcetype
Ciao.
Giuseppe