Does anyone have a search to create either a timechart or a table with the notable event times by hour? I want to create a list of the busiest times our notables come in by urgency. I.E. 5 10 lows at 9:00, 11 lows at 10:00, 5 mediums at 9:00, 7 mediums at 10:00, etc.
This search works, but only for the last 24 hours:
| `es_notable_events` | search timeDiff_type=current | timechart minspan=1h sum(count) as count by urgency
I'd like to do an average number of tickets per hour of the day going back at least 30 days.
'es_notable_events' works off an inputlookup that I don't think you can get data further back than the last 24 hours.
Try This search it seems to work for me.
`notable' | search NOT `suppression' | search (status="*") (owner="*") (security_domain="*") | timechart minspan=1h count by urgency
The 'notable' macro works of the notable index so you should get the data your looking for.