Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to write a search to create a time chart or a table with notable event times by hour?

kmcaloon
Explorer
‎10-27-2016 10:46 AM

Does anyone have a search to create either a timechart or a table with the notable event times by hour? I want to create a list of the busiest times our notables come in by urgency. I.E. 5 10 lows at 9:00, 11 lows at 10:00, 5 mediums at 9:00, 7 mediums at 10:00, etc.

This search works, but only for the last 24 hours:

| `es_notable_events` | search timeDiff_type=current | timechart minspan=1h sum(count) as count by urgency

I'd like to do an average number of tickets per hour of the day going back at least 30 days.

0 Karma
Reply

AnthonyTibaldi
Path Finder
‎01-12-2017 10:38 AM

'es_notable_events' works off an inputlookup that I don't think you can get data further back than the last 24 hours.

Try This search it seems to work for me.

`notable' | search NOT `suppression' | search (status="*") (owner="*") (security_domain="*") | timechart minspan=1h count by urgency

The 'notable' macro works of the notable index so you should get the data your looking for.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...