So, I was looking at this:
https://answers.splunk.com/answers/205556/how-to-set-up-an-alert-if-the-same-error-occurs-mo.html
Started with that to set up a report showing number of users with more than nnnn events per hour.
I though this query would give me per hour stats, for users with more than 3 events in the respective hour:
<base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by login_account | where count>3
Instead, I only get a total count for the whole query time period (24hrs in this case), and a listing of users with count>3 for those 24 hrs.
What have I not understood here?
You did the bucketing for 1hr for _time but didn't use it in your stats. Try this
<base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by _time login_account | where count>3
Thanks, that's a lot better 🙂