Solved: How do I display most popular hour for user logons...

hagjos43 · ‎01-24-2014

My searchstring looks like this:
index=123 sourctype=xyz EventCode=4624 | timechart span=1h count

This gives me Logons by hour, but every hour of every day for the given range. I want it to show the logons by hour over the course of a week for example:
0100 - 2
0200 - 45
0300 - 3

It would show the logons by most popular hour for any given time range be it week, month, year, etc.

kristian_kolb · ‎01-24-2014

Make use of the default-extracted fields date_* (date_hour, date_year etc)

index=blah sourcetype=bleh EventCode=1234 | stats count by date_hour

In some cases, these fields are not always extracted, but you can create them yourself;

index=blah sourcetype=bleh EventCode=1234 | eval date_hour = strftime(_time, "%H") | stats count by date_hour

Hope this helps,

K

View solution in original post

kristian_kolb · ‎01-24-2014

Make use of the default-extracted fields date_* (date_hour, date_year etc)

index=blah sourcetype=bleh EventCode=1234 | stats count by date_hour

In some cases, these fields are not always extracted, but you can create them yourself;

index=blah sourcetype=bleh EventCode=1234 | eval date_hour = strftime(_time, "%H") | stats count by date_hour

Hope this helps,

K

hagjos43 · ‎01-24-2014

That's exactly what I wanted!! Thanks!!!

How do I display most popular hour for user logons?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

How do I display most popular hour for user logons?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!