Stats per hour? - Splunk Community

Splunk Search

So, I was looking at this:
https://answers.splunk.com/answers/205556/how-to-set-up-an-alert-if-the-same-error-occurs-mo.html

Started with that to set up a report showing number of users with more than nnnn events per hour.

I though this query would give me per hour stats, for users with more than 3 events in the respective hour:

<base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by login_account | where count>3

Instead, I only get a total count for the whole query time period (24hrs in this case), and a listing of users with count>3 for those 24 hrs.

What have I not understood here?

You did the bucketing for 1hr for _time but didn't use it in your stats. Try this

 <base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by _time login_account | where count>3

Thanks, that's a lot better 🙂

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...