Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats by hour

motobeats
Path Finder
‎06-24-2013 03:12 PM

I would like to create a table of count metrics based on hour of the day. So average hits at 1AM, 2AM, etc.

stats min by date_hour, avg by date_hour, max by date_hour

I can not figure out why this does not work.

Here is the matrix I am trying to return. Assume 30 days of log data so 30 samples per each date_hour

date_hour count min ...
1 (total for 1AM hour) (min for 1AM hour; count for day with lowest hits at 1AM)
2 (total for 2AM hour) (min for 2AM hour; count for day with lowest hits at 2AM)
3
4
...

Would like to do max and percentiles as well to help understand typical and atypical hits at different times of day.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

motobeats
Path Finder
‎06-25-2013 12:47 AM

This gave me what I was looking for:

bucket _time span=1h|stats count by _time date_hour|stats min(count), p25(count), p50(count), p75(count), max(count) by date_hour

View solution in original post

Reply
Solved! Jump to solution

mosaicjwb
New Member
‎09-02-2020 09:06 AM

This was my solution to an hourly count issue. I've sanitized it. But I created this for a dashboard which watches inbound firewall traffic by country ($token_value$) per hour. Both Allowed and Dropped traffic.

index=firewall sourcetype=traffic action=* location=$token_value$ earliest=-1d@d latest=@d

| eval date_hour=strftime(_time, "%H")

| stats count as "Hourly Count" by action, location, date_hour

| sort date_hour by ascending

 

 

0 Karma
Reply
Solved! Jump to solution

MTravisVolker
Explorer
‎04-11-2019 02:29 PM

For a very similar problem I had I solved it this way: 

index="my_Index" host="my:host" sourcetype="my:sourcetype"
| timechart count span=60m
Reply
Solved! Jump to solution
Solution

motobeats
Path Finder
‎06-25-2013 12:47 AM

This gave me what I was looking for:

bucket _time span=1h|stats count by _time date_hour|stats min(count), p25(count), p50(count), p75(count), max(count) by date_hour
Reply
Solved! Jump to solution

the_wolverine
Champion
‎06-24-2013 03:39 PM
  • | timechart span=1h avg(count) ?
Reply
Solved! Jump to solution

Ayn
Legend
‎06-25-2013 12:22 AM

What's wrong about this answer?

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎01-15-2015 01:16 PM

When I run the | timechart span=1h avg(count) query, no stats are being returned and I can't figure out why

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎01-15-2015 02:47 PM

You would need to add some base search something like this (runanywhere query)

index=_internal sourcetype=splunkd | timechart span=1h avg(count)
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎01-16-2015 05:44 AM

Thx for the reply and info. Added various sourcetypes in different queries and sometimes I see no results for the avg count, yet I see events.

For one particular query I see 373k events, yet nothing is returned in the statistics tab even though the the days are being listed for the following query: index=myindex sourcetype=myindex | timechart span=1d avg(count)

Thx

0 Karma
Reply
Solved! Jump to solution

MTravisVolker
Explorer
‎04-11-2019 02:24 PM

What is it averaging? Count. Why? Why not take count without averaging it?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...