Solved: How to count over host by date with a set time ran...

pkcbailey · ‎06-30-2015

I would like to "search |stats count over host by date` only for Midnight to 16:00 EST and I want to report a month of activity.

MuS · ‎06-30-2015

Hi pkcbailey,

you can either use chart or timechart for this. use either of the following two examples:

your search here earliest=-1mon@mon latest=-0mon@mon date_hour>=00 AND date_hour<=15 | bucket _time span=1d | chart count over _time by host

or

your search here earliest=-1mon@mon latest=-0mon@mon date_hour>=00 AND date_hour<=15 | timechart span=1d count by host

both examples will return a daily event count by host over the last month.

Hope that helps ...

cheers, MuS

MuS · ‎06-30-2015

Hi pkcbailey,

you can either use chart or timechart for this. use either of the following two examples:

your search here earliest=-1mon@mon latest=-0mon@mon date_hour>=00 AND date_hour<=15 | bucket _time span=1d | chart count over _time by host

or

your search here earliest=-1mon@mon latest=-0mon@mon date_hour>=00 AND date_hour<=15 | timechart span=1d count by host

both examples will return a daily event count by host over the last month.

Hope that helps ...

cheers, MuS

How to count over host by date with a set time range?