Solved: How do I display most popular hour for user logons...

hagjos43 · ‎01-24-2014

My searchstring looks like this:
index=123 sourctype=xyz EventCode=4624 | timechart span=1h count

This gives me Logons by hour, but every hour of every day for the given range. I want it to show the logons by hour over the course of a week for example:
0100 - 2
0200 - 45
0300 - 3

It would show the logons by most popular hour for any given time range be it week, month, year, etc.

kristian_kolb · ‎01-24-2014

Make use of the default-extracted fields date_* (date_hour, date_year etc)

index=blah sourcetype=bleh EventCode=1234 | stats count by date_hour

In some cases, these fields are not always extracted, but you can create them yourself;

index=blah sourcetype=bleh EventCode=1234 | eval date_hour = strftime(_time, "%H") | stats count by date_hour

Hope this helps,

K

View solution in original post

kristian_kolb · ‎01-24-2014

Make use of the default-extracted fields date_* (date_hour, date_year etc)

index=blah sourcetype=bleh EventCode=1234 | stats count by date_hour

In some cases, these fields are not always extracted, but you can create them yourself;

index=blah sourcetype=bleh EventCode=1234 | eval date_hour = strftime(_time, "%H") | stats count by date_hour

Hope this helps,

K

hagjos43 · ‎01-24-2014

That's exactly what I wanted!! Thanks!!!

How do I display most popular hour for user logons?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation