Splunk Search

group search results by hour of day

gerbert
Path Finder

Hi splunk community,

I feel like this is a very basic question but I couldn't get it to work.

I want to search my index for the last 7 days and want to group my results by hour of the day. So the result should be a column chart with 24 columns.
So for example my search looks like this:

index=myIndex status=12 user="gerbert"
| table status user _time


I want a chart that tells me how many counts i got over the last 7 days grouped by the hour of the day for a specific user and status number.

Cheers
gerbert

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
Legend
index=myIndex status=12 user="gerbert"
| stats count by date_hour

View solution in original post

0 Karma

gerbert
Path Finder

Thanks for your help.

I already tried "group by date_hour" before posting here. It didn't give me the right results I was looking for.
I found another post with an answer. What worked for me in the end was:

index=myIndex status=12 user="gerbert"
| eval hour = strftime(_time, "%H")
| stats count by hour
| sort hour

 

0 Karma

ITWhisperer
Legend
index=myIndex status=12 user="gerbert"
| stats count by date_hour

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.