I need to display the maximum count of users logged in per day (at what time).
I am able to get the max user count from below query. but I am not sure on how to get the time at which maximo user's were logged in.
index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD | eval username=coalesce(UID,uid) | timechart span=1h dc(username) as usercount | timechart span=1d max(usercount)
If you want the maximum number of users attempting to login in an hour per day plus the hour that maximum occurred in, try this:
index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD | eval username=coalesce(UID,uid)
| bin _time span=1h | stats dc(username) as users by _time
| bin _time as day span=1d | eventstats max(users) as max by day
| where users=max | fields - day max
Note, this will yield multiple hours per day if the maximum occurs multiple times that day.
If you want the maximum number of users attempting to login in an hour per day plus the hour that maximum occurred in, try this:
index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD | eval username=coalesce(UID,uid)
| bin _time span=1h | stats dc(username) as users by _time
| bin _time as day span=1d | eventstats max(users) as max by day
| where users=max | fields - day max
Note, this will yield multiple hours per day if the maximum occurs multiple times that day.
Thank you!