Stats per hour?

reedmohn · ‎02-12-2016

So, I was looking at this:
https://answers.splunk.com/answers/205556/how-to-set-up-an-alert-if-the-same-error-occurs-mo.html

Started with that to set up a report showing number of users with more than nnnn events per hour.

I though this query would give me per hour stats, for users with more than 3 events in the respective hour:

<base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by login_account | where count>3

Instead, I only get a total count for the whole query time period (24hrs in this case), and a listing of users with count>3 for those 24 hrs.

What have I not understood here?

somesoni2 · ‎02-12-2016

You did the bucketing for 1hr for _time but didn't use it in your stats. Try this

 <base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by _time login_account | where count>3

reedmohn · ‎02-15-2016

Thanks, that's a lot better 🙂

Stats per hour?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Stats per hour?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!