Splunk Search

group search results by hour of day

gerbert
Path Finder

Hi splunk community,

I feel like this is a very basic question but I couldn't get it to work.

I want to search my index for the last 7 days and want to group my results by hour of the day. So the result should be a column chart with 24 columns.
So for example my search looks like this:

index=myIndex status=12 user="gerbert"
| table status user _time


I want a chart that tells me how many counts i got over the last 7 days grouped by the hour of the day for a specific user and status number.

Cheers
gerbert

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=myIndex status=12 user="gerbert"
| stats count by date_hour

View solution in original post

0 Karma

gerbert
Path Finder

Thanks for your help.

I already tried "group by date_hour" before posting here. It didn't give me the right results I was looking for.
I found another post with an answer. What worked for me in the end was:

index=myIndex status=12 user="gerbert"
| eval hour = strftime(_time, "%H")
| stats count by hour
| sort hour

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=myIndex status=12 user="gerbert"
| stats count by date_hour
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...