Calculating events per slice of time
There are a number of ways to calculate events per some period of time. All of these techniques rely on rounding _time down to some period of time, and then grouping the results by the rounded "buckets" of _time.
Using timechart
The simplest approach to count events over time is simply to use timechart, like this:
sourcetype=impl_splunk_gen | timechart span=1m count
In table view, we see:
Looking at a 24-hour period, we are presented with 1,440 rows, one per minute.
Note
Charts in Splunk do not attempt to show more points than the pixels present on the screen. The user is instead expected to change the number of points to graph, using the bins or span attributes. Calculating average events per minute, per hour shows another way of dealing with this behavior.
If we only wanted to know about minutes that actually had events, instead of every minute of the day, we could use bucket and stats, like this:
sourcetype=impl_splunk_gen | bucket span=1m _time | stats...
