Solved: How to aggregate data by hour across multiple days

Simon1817 · ‎02-14-2023

I am looking at event data. I can group the data by hour like this:

index=wineventlog EventCode=4740 Caller_Computer_Name=SERVER14 Account_Locked_Out_Name=USER12 | TIMECHART SPAN=1h count BY Caller_Computer_Name

but that gives me an hour for each day, so hundreds of rows.

I want 24 rows. i.e. I want all events that occur between Midnight and 1am, on any day, in the first row; and then all events between 1am and 2am, on any day, in the second row; and so on.

I've

gcusello · ‎02-14-2023

Hi @Simon1817,

let me understand: you want the sum of the values of each hour of many days, is it correct?

if this is your need, please try something like this:

index=wineventlog EventCode=4740 Caller_Computer_Name=SERVER14 Account_Locked_Out_Name=USER12 
| eval hour=strftime(_time,"%H")
| chart count OVER hour BY Caller_Computer_Name

Ciao.

Giuseppe

View solution in original post

Simon1817 · ‎02-14-2023

Exactly that, thank you.

gcusello · ‎02-14-2023

Hi @Simon1817,

let me understand: you want the sum of the values of each hour of many days, is it correct?

if this is your need, please try something like this:

index=wineventlog EventCode=4740 Caller_Computer_Name=SERVER14 Account_Locked_Out_Name=USER12 
| eval hour=strftime(_time,"%H")
| chart count OVER hour BY Caller_Computer_Name

Ciao.

Giuseppe

How to aggregate data by hour across multiple days

timechart

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to aggregate data by hour across multiple days

timechart

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!