Splunk Enterprise Security: How to write a search ...

kmcaloon · ‎10-27-2016

Does anyone have a search to create either a timechart or a table with the notable event times by hour? I want to create a list of the busiest times our notables come in by urgency. I.E. 5 10 lows at 9:00, 11 lows at 10:00, 5 mediums at 9:00, 7 mediums at 10:00, etc.

This search works, but only for the last 24 hours:

| `es_notable_events` | search timeDiff_type=current | timechart minspan=1h sum(count) as count by urgency

I'd like to do an average number of tickets per hour of the day going back at least 30 days.

AnthonyTibaldi · ‎01-12-2017

'es_notable_events' works off an inputlookup that I don't think you can get data further back than the last 24 hours.

Try This search it seems to work for me.

`notable' | search NOT `suppression' | search (status="*") (owner="*") (security_domain="*") | timechart minspan=1h count by urgency

The 'notable' macro works of the notable index so you should get the data your looking for.

Splunk Enterprise Security: How to write a search to create a time chart or a table with notable event times by hour?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation