# Find peak 10-minute traffic window per day

## Problem / Use case

You want to track system reliability by identifying, for each day, the specific 10-minute time window that experienced the highest number of ERROR logs. This helps pinpoint the most critical time periods for troubleshooting.

## Query

```dataprime
source logs
| filter $m.severity == ERROR
| groupby $m.timestamp / 10m as bucket.ts count() as bucket.count 
| groupby bucket.ts / 1d as day max_by(bucket.count, bucket) as bucket
| choose day.formatTimestamp('%d-%m-%Y') as day, bucket.count as count, bucket.ts.formatTimestamp('%d-%m-%Y %H:%M') as ts
```

## Expected output

| day        | count | ts               |
| ---------- | ----- | ---------------- |
| 23-05-2025 | 5813  | 23-05-2025 10:40 |
| 22-05-2025 | 4517  | 22-05-2025 10:50 |
| 20-05-2025 | 2047  | 20-05-2025 15:40 |
| 21-05-2025 | 4774  | 21-05-2025 11:10 |
| 24-05-2025 | 2743  | 24-05-2025 11:10 |
| 25-05-2025 | 3332  | 25-05-2025 11:20 |
| 26-05-2025 | 3558  | 26-05-2025 11:50 |
| 27-05-2025 | 3374  | 27-05-2025 11:00 |

## Variations

- Change the alert_severity to 'WARNING' or another level for different insights.
- Adjust `10m` to another duration like `5m` or `30m` depending on your granularity needs.
- Include additional grouping fields like `service_name` to break down by component.