This was my solution to an hourly count issue. I've sanitized it. But I created this for a dashboard which watches inbound firewall traffic by country ($token_value$) per hour. Both Allowed and Dropped traffic. index=firewall sourcetype=traffic action=* location=$token_value$ earliest=-1d@d latest=@d | eval date_hour=strftime(_time, "%H") | stats count as "Hourly Count" by action, location, date_hour | sort date_hour by ascending
... View more