jjohnson8
Reputation: 361
Group event counts by hour over time
I currently have a query that aggregates events over the last hour, and alerts my team if events are over a specific threshold. The query was recently accidentally disabled, and it turns out there were times when the alert should have fired but did not.
My goal is apply this alert query logic to the previous month, and determine how many times the alert would have fired, had it been functional. However, I am having a hard time figuring out how best to group these. In pseudo code I basically I would have (running over a 30 day time frame) :
index="some_index" | where count > n | group by hour
Hopefully this makes sense, if not, I am happy to provide some clarification.
Thanks in advance
Upvotes: 10
Views: 21704
Answers (1)
RichG
Reputation: 9906
This should get you started:
index=foo | bin span=1h _time | stats count by _time | where count > n
Upvotes: 24
Related Questions
- Splunk: Split a time period into hourly intervals
- SparkSQL2.0 Query to count number of requests every 15 minutes within past hour
- Output counts grouped by field values by for date in Splunk
- Sum of numeric values in all events in given time period
- Timechart with distinct_count per day
- Group events by multiple fields in Splunk
- How to count the total number of events in a splunk search result?
- Get the count of above occurrences on an hourly basis using splunk query
- Get number of events occurring per hour
- How to count event in the last hour grouping by minute