Hourly Data Events
Summarize events by providing a count of the number of data events per hour using the time:hour()
function
Query
hr := time:hour(field="@ingesttimestamp")
|groupBy(hr)
Introduction
The time:hour()
function can be used to get
the 24-hour clock of a given timestamp field.
In this example, the
time:hour()
function is used with
groupBy()
to average the count of data events
per hour.
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
hr := time:hour(field="@ingesttimestamp")
Gets the hour (24-hour clock) of the values in the @ingesttimestamp and returns the results in a new field named
hr
. - flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
|groupBy(hr)
Groups the returned results by hr field and provides a count of the number of data events per hour in a _count field.
Event Result set.
Summary and Results
The query is used to average the count of data events per hour. The results can be plotted onto a bar chart.