Stats per hour?

reedmohn · ‎02-12-2016

So, I was looking at this:
https://answers.splunk.com/answers/205556/how-to-set-up-an-alert-if-the-same-error-occurs-mo.html

Started with that to set up a report showing number of users with more than nnnn events per hour.

I though this query would give me per hour stats, for users with more than 3 events in the respective hour:

<base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by login_account | where count>3

Instead, I only get a total count for the whole query time period (24hrs in this case), and a listing of users with count>3 for those 24 hrs.

What have I not understood here?

somesoni2 · ‎02-12-2016

You did the bucketing for 1hr for _time but didn't use it in your stats. Try this

 <base search> (EventCode=XXXX) | eval login_account=mvindex(Account_Name,1) | bucket _time span=1h | stats count by _time login_account | where count>3

reedmohn · ‎02-15-2016

Thanks, that's a lot better 🙂

Stats per hour?

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation

Stats per hour?

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI