Splunk Search

How to display the time in _time?

nive00
Engager

I need to display the maximum count of users logged in per day (at what time).

I am able to get the max user count from below query. but I am not sure on how to get the time at which maximo user's were logged in.

index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD  | eval username=coalesce(UID,uid) | timechart span=1h dc(username) as usercount | timechart span=1d max(usercount)
Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

If you want the maximum number of users attempting to login in an hour per day plus the hour that maximum occurred in, try this:

 index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD  | eval username=coalesce(UID,uid)
| bin _time span=1h | stats dc(username) as users by _time
| bin _time as day span=1d | eventstats max(users) as max by day
| where users=max | fields - day max

Note, this will yield multiple hours per day if the maximum occurs multiple times that day.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

If you want the maximum number of users attempting to login in an hour per day plus the hour that maximum occurred in, try this:

 index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD  | eval username=coalesce(UID,uid)
| bin _time span=1h | stats dc(username) as users by _time
| bin _time as day span=1d | eventstats max(users) as max by day
| where users=max | fields - day max

Note, this will yield multiple hours per day if the maximum occurs multiple times that day.

nive00
Engager

Thank you!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...