Stats per hour?

reedmohn · ‎02-12-2016

So, I was looking at this:
https://answers.splunk.com/answers/205556/how-to-set-up-an-alert-if-the-same-error-occurs-mo.html

Started with that to set up a report showing number of users with more than nnnn events per hour.

I though this query would give me per hour stats, for users with more than 3 events in the respective hour:

<base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by login_account | where count>3

Instead, I only get a total count for the whole query time period (24hrs in this case), and a listing of users with count>3 for those 24 hrs.

What have I not understood here?

somesoni2 · ‎02-12-2016

You did the bucketing for 1hr for _time but didn't use it in your stats. Try this

 <base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by _time login_account | where count>3

reedmohn · ‎02-15-2016

Thanks, that's a lot better 🙂

Stats per hour?

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

4 Ways the Splunk Community Helps You Prepare for .conf25

Are you a member of the Splunk Community?

Stats per hour?

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

4 Ways the Splunk Community Helps You Prepare for .conf25