We've been using the following search
sourcetype=*_catalina ERROR logging_level=ERROR | bucket _time span=4h | timechart count span=4h
that counts the errors every 4 hours throughout the day, e.g.
00:00
04:00
08:00
however, we'd like to see the errors every 4 hours from now, e.g.
15:37:12
19:37:12
23:37:12
Is this possible? How can we achieve this?
I've tweaked @somesoni2's answer to suit my needs and it appears to run okay though a little slow, any optimization suggestions would be appreciated.
sourcetype=*_catalina (ERROR OR SEVERE OR FATAL) | where ISNULL(logging_level) OR logging_level="ERROR" OR logging_level="SEVERE" OR logging_level="FATAL" | table _time | eval diff=now()-relative_time(now(),"@d") | eval diff=case(diff < (4*3600), diff - (1*(4*3600)), diff < (2*(4*3600)), diff - (2*(4*3600)), diff < (3*(4*3600)), diff - (3*(4*3600)), diff < (4*(4*3600)), diff - (4*(4*3600)), diff < (5*(4*3600)), diff - (5*(4*3600)), diff < (6*(4*3600)), diff - (6*(4*3600)), diff < (7*(4*3600)), diff - (7*(4*3600))) | eval _time=_time-diff | timechart span=4h count max(diff) as diff | eval _time=_time+diff | fields - diff
I've tweaked @somesoni2's answer to suit my needs and it appears to run okay though a little slow, any optimization suggestions would be appreciated.
sourcetype=*_catalina (ERROR OR SEVERE OR FATAL) | where ISNULL(logging_level) OR logging_level="ERROR" OR logging_level="SEVERE" OR logging_level="FATAL" | table _time | eval diff=now()-relative_time(now(),"@d") | eval diff=case(diff < (4*3600), diff - (1*(4*3600)), diff < (2*(4*3600)), diff - (2*(4*3600)), diff < (3*(4*3600)), diff - (3*(4*3600)), diff < (4*(4*3600)), diff - (4*(4*3600)), diff < (5*(4*3600)), diff - (5*(4*3600)), diff < (6*(4*3600)), diff - (6*(4*3600)), diff < (7*(4*3600)), diff - (7*(4*3600))) | eval _time=_time-diff | timechart span=4h count max(diff) as diff | eval _time=_time+diff | fields - diff
Give this a try
sourcetype=*_catalina ERROR logging_level=ERROR | table _time | eval diff=now()-relative_time(now(),"@h") | eval _time=_time-diff | timechart span=4h count max(diff) as diff | eval _time=_time+diff |fields - diff
This doesn't work as I am wanting, it still gives me a truncated count for the last 4 hours.
It rounds all the events to the nearest hour, if it rounded them to the nearest 4 hour block then it would possibly do what I want.