Hi, I am trying to find the busiest time of the day for last 30 days. What i need is a table like this -
Day PeakhourofTheDay count
I have this query but it's not showing the peak hour in the table. Also i am not sure if it's correct. Please any help is appreciated.
index=web_env sourcetype=ssl_access_combined
| timechart span=1h count
| timechart span=1d max(count)
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-30d@d"), relative_time(_time,"@d"))
| makecontinuous span=1m
| eval count = random() % 2
| eval value = if(count==0,"ok",NULL)
| table _time value
| rename COMMENT AS "this is sample data")
| timechart span=1h count(value) as count
| eval days = strftime(_time, "%e")
| eventstats max(count) as max_count by days
| chart values(eval(if(max_count==count,_time,NULL))) as max_date values(max_count) as max_count by days
| fieldformat max_date=strftime(max_date,"%F %H:%M")
| table max_date max_count
The output values is a little different, but it would be okay.
@to4kawa thanks for the response but this is not what I am looking for and moreover this query is a bit complex and not very optimized if i have to run for a longer period.
I have shared the working query but it's just that it is not showing the peak hour along with the day. I need something like this in atabular format -
Day PeakhourofTheDay PeakHourCount
try rename and eval.