Solved: How to display the time in _time?

nive00 · ‎04-12-2017

I need to display the maximum count of users logged in per day (at what time).

I am able to get the max user count from below query. but I am not sure on how to get the time at which maximo user's were logged in.

index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD  | eval username=coalesce(UID,uid) | timechart span=1h dc(username) as usercount | timechart span=1d max(usercount)

martin_mueller · ‎04-12-2017

If you want the maximum number of users attempting to login in an hour per day plus the hour that maximum occurred in, try this:

 index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD  | eval username=coalesce(UID,uid)
| bin _time span=1h | stats dc(username) as users by _time
| bin _time as day span=1d | eventstats max(users) as max by day
| where users=max | fields - day max

Note, this will yield multiple hours per day if the maximum occurs multiple times that day.

View solution in original post

martin_mueller · ‎04-12-2017

If you want the maximum number of users attempting to login in an hour per day plus the hour that maximum occurred in, try this:

 index=hwm_* sourcetype=was:maximo:sysout UID=* OR uid=* asset_env=PROD  | eval username=coalesce(UID,uid)
| bin _time span=1h | stats dc(username) as users by _time
| bin _time as day span=1d | eventstats max(users) as max by day
| where users=max | fields - day max

Note, this will yield multiple hours per day if the maximum occurs multiple times that day.

nive00 · ‎04-12-2017

Thank you!

How to display the time in _time?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life