Hourly Data Events

Summarize events by providing a count of the number of data events per hour using the time:hour() function

Query

logscale
hr := time:hour(field="@ingesttimestamp")
|groupBy(hr)

Introduction

The time:hour() function can be used to get the 24-hour clock of a given timestamp field.

In this example, the time:hour() function is used with groupBy() to average the count of data events per hour.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    hr := time:hour(field="@ingesttimestamp")

    Gets the hour (24-hour clock) of the values in the @ingesttimestamp and returns the results in a new field named hr.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    |groupBy(hr)

    Groups the returned results by hr field and provides a count of the number of data events per hour in a _count field.

  4. Event Result set.

Summary and Results

The query is used to average the count of data events per hour. The results can be plotted onto a bar chart.