event count for a device for a day

Follow
Avatar
Deepak Korlhalli

We have integrated firewalls, we need to count denied events for day, and run the report for week. 

 

Expected output: 7 days count per day. 

 

Question: how to set the time from 00:00 hrs to 23:59hrs in a query. 

0

Comments

2 comments

Sort by Date Votes
  • Official comment
    Avatar
    Nick Wilson

    Hi Deepak,

    You would want to use the timeslice operator and count by that field for something like this.

    For example:

    [YOUR SEARCH SCOPE]
    | timeslice 1d
    | count by _timeslice

    Run this query for the last 7 days.

    Thanks,
    Nick
    Sumo Logic, Customer Success

    Comment actions Permalink
  • Avatar
    Barry Bisson

    Adding on to Nick's tip...

    You can't specify the time range in the query syntax, you instead use the time range selector at the top right.

    BTW, you can manually enter time ranges like: 

    -24h    (when you only provide one time expression, "to Now" is assumed.

    -3d to -2d

    13:15 to 13:45

    You can one or two relative times, OR one or two static times.   (You can't combine static and relative.)

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post