Group event counts by hour over time

splunk splunk-query
jjohnson8 picture jjohnson8 · Aug 8, 2018 · Viewed 8k times · Source

I currently have a query that aggregates events over the last hour, and alerts my team if events are over a specific threshold. The query was recently accidentally disabled, and it turns out there were times when the alert should have fired but did not.

My goal is apply this alert query logic to the previous month, and determine how many times the alert would have fired, had it been functional. However, I am having a hard time figuring out how best to group these. In pseudo code I basically I would have (running over a 30 day time frame) : 

  index="some_index" | where count > n | group by hour

Hopefully this makes sense, if not, I am happy to provide some clarification.

Thanks in advance

Answer

RichG picture RichG · Aug 8, 2018

This should get you started:

index=foo | bin span=1h _time | stats count by _time | where count > n

Related questions

Splunk how to combine two queries and get one answer

I am very new to Splunk and basically been dropped in the deep end!! also very new to language so any help and tips on the below would be great. The out come i am trying to get is to …

Read More
splunk check if message contains certain string

In Splunk search query how to check if log message has a text or not? Log message: message: 2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ... and I …

Read More
What does (?i) and ?@ in this regex mean

In the following regex what does "(?i)" and "?@" mean? (?i)<.*?@(?P<domain>\w+\.\w+)(?=>) I know that "?" means zero or one and that i sets case insensitivity. This regex captures domains from an email address in …

Read More