Database Reference
In-Depth Information
Analyzing the number of system users
Imagine that you've been having problems over the last couple of days and you want to
simply measure how many people are on your system during each hour. To do this, enter
the following code into the search bar:
sourcetype=access_* earliest=-2d@h latest=now | timechart
count
Here we see the use of two time modifiers,
earliest
and
latest
, which can be used to indic-
ate the relative start time that you want to use as well as the end time. In this case,
earli-
est=-2d@h
means that you should include events that occurred within the last two days
(
-2d
), and round to the nearest hour (@h). When you use this code, the timechart count
pipe provides a count of events for each hour over the last two days.
You will see a chart like this:
Using Time Modifiers (Earliest and Latest) with timechart
