There are a couple approaches to this
I’m trying to count the number of entries per hour from a specific source and I’m just having a hard time figuring out how to do that.
I ended up running this but I’m trying to get it to sum them by hour:
tag=windows src == 192.168. 1.1 | count | chart count
There are a couple approaches you can use here:
The first is to use the modifier "over X" to put search results into time buckets. Using
count over 1h
in your query should get you what you are looking for. Additionally, the ’time’ module can do exactly this for you as well. Take this example:
tag=dns time -f "15" TIMESTAMP hour | count by hour | chart count by hour limit 24
To break this down:
"tag=dns" is all of my dns records
“time -f “15” TIMESTAMP hour” - invoke the time module, use the “24-hour time format” and just enumerate the hour, named hour. The number “15” in there is actually important here - we use a time library that gives special significance to numbers in the format of: "Mon Jan _2 15:04:05 2006”. Note that each number in that string is unique, so we can do things like “15” and that maps into that string as “24 hour time, the hour”.
Then we count by hour, and chart. We limit the chart to 24 to force it to draw 24 bins. I change the visualization also to bar chart and make sure my time window is “last 24 hours”.
Your output will look something like this:
