Solved: Re: How do I display most popular hour for user lo...

hagjos43 · ‎01-24-2014

My searchstring looks like this:
index=123 sourctype=xyz EventCode=4624 | timechart span=1h count

This gives me Logons by hour, but every hour of every day for the given range. I want it to show the logons by hour over the course of a week for example:
0100 - 2
0200 - 45
0300 - 3

It would show the logons by most popular hour for any given time range be it week, month, year, etc.

kristian_kolb · ‎01-24-2014

Make use of the default-extracted fields date_* (date_hour, date_year etc)

index=blah sourcetype=bleh EventCode=1234 | stats count by date_hour

In some cases, these fields are not always extracted, but you can create them yourself;

index=blah sourcetype=bleh EventCode=1234 | eval date_hour = strftime(_time, "%H") | stats count by date_hour

Hope this helps,

K

View solution in original post

kristian_kolb · ‎01-24-2014

Make use of the default-extracted fields date_* (date_hour, date_year etc)

index=blah sourcetype=bleh EventCode=1234 | stats count by date_hour

In some cases, these fields are not always extracted, but you can create them yourself;

index=blah sourcetype=bleh EventCode=1234 | eval date_hour = strftime(_time, "%H") | stats count by date_hour

Hope this helps,

K

hagjos43 · ‎01-24-2014

That's exactly what I wanted!! Thanks!!!

How do I display most popular hour for user logons?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation