Solved: Stats by hour

motobeats · ‎06-24-2013

I would like to create a table of count metrics based on hour of the day. So average hits at 1AM, 2AM, etc.

stats min by date_hour, avg by date_hour, max by date_hour

I can not figure out why this does not work.

Here is the matrix I am trying to return. Assume 30 days of log data so 30 samples per each date_hour

date_hour count min ...
1 (total for 1AM hour) (min for 1AM hour; count for day with lowest hits at 1AM)
2 (total for 2AM hour) (min for 2AM hour; count for day with lowest hits at 2AM)
3
4
...

Would like to do max and percentiles as well to help understand typical and atypical hits at different times of day.

motobeats · ‎06-25-2013

This gave me what I was looking for:

bucket _time span=1h|stats count by _time date_hour|stats min(count), p25(count), p50(count), p75(count), max(count) by date_hour

View solution in original post

mosaicjwb · ‎09-02-2020

This was my solution to an hourly count issue. I've sanitized it. But I created this for a dashboard which watches inbound firewall traffic by country ($token_value$) per hour. Both Allowed and Dropped traffic.

index=firewall sourcetype=traffic action=* location=$token_value$ earliest=-1d@d latest=@d

| eval date_hour=strftime(_time, "%H")

| stats count as "Hourly Count" by action, location, date_hour

| sort date_hour by ascending

MTravisVolker · ‎04-11-2019

For a very similar problem I had I solved it this way:

index="my_Index" host="my:host" sourcetype="my:sourcetype"
| timechart count span=60m

motobeats · ‎06-25-2013

This gave me what I was looking for:

bucket _time span=1h|stats count by _time date_hour|stats min(count), p25(count), p50(count), p75(count), max(count) by date_hour

the_wolverine · ‎06-24-2013

| timechart span=1h avg(count) ?

Ayn · ‎06-25-2013

What's wrong about this answer?

jwalzerpitt · ‎01-15-2015

When I run the | timechart span=1h avg(count) query, no stats are being returned and I can't figure out why

somesoni2 · ‎01-15-2015

You would need to add some base search something like this (runanywhere query)

index=_internal sourcetype=splunkd | timechart span=1h avg(count)

jwalzerpitt · ‎01-16-2015

Thx for the reply and info. Added various sourcetypes in different queries and sometimes I see no results for the avg count, yet I see events.

For one particular query I see 373k events, yet nothing is returned in the statistics tab even though the the days are being listed for the following query: index=myindex sourcetype=myindex | timechart span=1d avg(count)

Thx

MTravisVolker · ‎04-11-2019

What is it averaging? Count. Why? Why not take count without averaging it?

Stats by hour

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Stats by hour

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions