Solved: group search results by hour of day

gerbert · ‎04-13-2021

Hi splunk community,

I feel like this is a very basic question but I couldn't get it to work.

I want to search my index for the last 7 days and want to group my results by hour of the day. So the result should be a column chart with 24 columns.
So for example my search looks like this:

index=myIndex status=12 user="gerbert"
| table status user _time

I want a chart that tells me how many counts i got over the last 7 days grouped by the hour of the day for a specific user and status number.

Cheers
gerbert

ITWhisperer · ‎04-13-2021

index=myIndex status=12 user="gerbert"
| stats count by date_hour

View solution in original post

gerbert · ‎04-13-2021

Thanks for your help.

I already tried "group by date_hour" before posting here. It didn't give me the right results I was looking for.
I found another post with an answer. What worked for me in the end was:

index=myIndex status=12 user="gerbert"
| eval hour = strftime(_time, "%H")
| stats count by hour
| sort hour

ITWhisperer · ‎04-13-2021

index=myIndex status=12 user="gerbert"
| stats count by date_hour

group search results by hour of day

count

stats

timechart

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?