Gets the hour (24-hour clock) of a timestamp field.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
as | string | optional[a] | _hour | The name of the output field. |
field[b] | string | optional[a] | @timestamp | The name of the input field. |
timezone | string | optional[a] | The time offset to use, for example, -01:00. If not specified, the query's offset will be used. | |
timezoneField | string | optional[a] | @timezone | The name of the field containing the timezone to use, if not specified the query's timezone will be used. This is ignored if the timezone parameter is passed as well. If this is not defined the timezone offset of the query will be used. |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscaletime:hour("field")and:
logscaletime:hour(field="field")These examples show basic structure only.
time:hour() Examples
Hourly Data Events
Summarize events by providing a count of the number of data events per hour using the time:hour() function
Query
hr := time:hour(field="@ingesttimestamp")
|groupBy(hr)Introduction
The time:hour() function can be used to get
the 24-hour clock of a given timestamp field. In this example, the
time:hour() function is used with
groupBy() to average the count of data events
per hour.
Step-by-Step
Starting with the source repository events.
- logscale
hr := time:hour(field="@ingesttimestamp")Gets the hour (24-hour clock) of the values in the @ingesttimestamp and returns the results in a new field named
hr. - logscale
|groupBy(hr)Groups the returned results by hr field and provides a count of the number of data events per hour in a _count field.
Event Result set.
Summary and Results
The query is used to average the count of data events per hour. The results can be plotted onto a bar chart.