view results for last 24 hours, by hourly bases

Follow

Dekel Moyal

• November 13, 2018 13:54

Hi,

im, pretty new to Sumo logic, so far i'm loving it and i was able to find an answer for every query i had via community, support or just the general it-makes-sense UI :)

i have a good query that gives me a count of all Errors that happened in the last 24, can i break it up to hours?

to clarify what i'm asking, what i'm seeing now is:

Errors  -  5000

i would like to see how many happened each hour

like Errors first hour - 59

errors second hour - 50

just to break it up by Hours, to see where my peak is...

 

Hope its clear enough, and hope its doable, i'm sure it is.

0

• 

  rahul choudhary

  • November 13, 2018 15:25

  Hi Dekel,

  Yes indeed you can achieve the same by using "_timeslice" operator in your query so you can create bucketed results based on a fixed interval (hourly in your case)

  Query should be something like
  
    * | timeslice 1h
      | count by _timeslice

  Please check below KB article for more example on the same:
  https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/timeslice

  Hope that helps!!

   

  -Rahul

   

   

   

  0

  Permalink
• 

  Dekel Moyal

  • November 13, 2018 15:38

  Hi Rahul,

  thanks for the fast response, that seems to be exactly what i'm looking for :)  dont know how i missed it!

   

  0

  Permalink

Please sign in to leave a comment.