Solved: How to generate a search that will display event t...

lasonyadj · ‎02-10-2017

I am trying to write a search that will return a report of event times by hour for each sourcetype.

For example,

                      Source1      Source2    Source3             Total
1/1/17 1:00PM         5000         2000       500                 7500 
1/1/17 2:00PM         4000         1000       100                 5100

Any assistance will be appreciated.

rjthibod · ‎02-10-2017

This is should get you started

| tstats count where index=* by sourcetype _time span=1h 
| chart sum(count) limit=0 by _time span=1h sourcetype
| addtotals fieldname=Total
| where Total > 0

View solution in original post

mpreddy · ‎02-10-2017

try like this:

index=_internal|eventstats count by sourcetype|timechart span=1h c by sourcetype | addtotals

lasonyadj · ‎02-10-2017

Thanks! this one only gave me the database stats but its a good starting point.

rjthibod · ‎02-10-2017

This is should get you started

| tstats count where index=* by sourcetype _time span=1h 
| chart sum(count) limit=0 by _time span=1h sourcetype
| addtotals fieldname=Total
| where Total > 0

lasonyadj · ‎02-10-2017

Thanks, that seemed to do the trick!!

How to generate a search that will display event times by sourcetype?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms