My report shows events per hour, example:
22:00 - 10
23:00 - 7
00:00 - 3
01:00 - 2
I want it to show data only for hours 22:00 to 08:00. I do not want to see anything from 09:00 to 21:00.
try to add earliest and latest in your query as explained below. is it working?
Hi,
As you said you want a report that will summarize hourly events(as of now 24h) you want specific duration like 00:00 to 8:00. Suppose you have scheduled your report at 9.00 AM then you can calculate your required time duration like this earliest=-9h@h latest=-1h@h
. Like the above calculation you can change the earliest and latest as per your scheduled timing.
the search will be,
index=_internal earliest=-9h@h latest=-1h@h | timechart span=1h count
Cheers!