There are a couple of approaches to this
I’m trying to count the number of entries per hour from a specific source and I’m just having a hard time figuring out how to do that.
I ended up running this, but I’m trying to get it to sum them by hour:
tag=windows src == 192.168. 1.1 | count | chart count
There are a couple of approaches you can use here:
The first is to use the modifier "over X" to put search results into time buckets.
count over 1h
Using the above snippet in your query should get you what you are looking for. Additionally, the ’time’ module can do exactly this for you as well. Take this example:
tag=dns time -f "15" TIMESTAMP hour | count by hour | chart count by hour limit 24
To break this down:
"tag=dns" is all of my DNS records
so that“time -f “15” TIMESTAMP hour” - invoke the time module, use the “24-hour time format” and just enumerate the hour, named hour. The number “15” in there is actually important here - we use a time library that gives special significance to numbers in the format of: "Mon Jan _2 15:04:05 2006”. Note that each number in that string is unique, so we can do things like “15” and that maps into that string as “24-hour time, the hour”.
a Then we count by hour and chart. We limit the chart to 24 to force it to draw 24 bins. I changed the visualization to bar chart and made sure my time window was “last 24 hours”.
Your output will look something like this:
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article