I am trying to construct a search that will display the percentage of times an event happened before 8 am and percentage of times the event happened after 8 am over the last month or even the last year.
I have not found much in the way of getting started... I think it might have something to do with buckets and possibly a timechart but I am really not sure.
<your_search_for_Event> | eval timeBucket = if(tonumber(strftime(_time,"%H"))<8,"Before","After")| stats sum(eval(if(timeBucket=="After",1,0))) as After sum(eval(if(timeBucket=="Before",1,0))) as Before | eval total = After + Before | eval After_Percent = After / total * 100 | eval Before_Percent = Before /total * 100
If you have a key in the event, you can use the normal by clause to split it out, and nothing else will need to change!