I have multiple windows hosts sending events in binary to a single tcp listener.<Input windows>
    Module     im_tcp
    Port       9999
    Host       0.0.0.0
    InputType  Binary

I am trying to track the rate of logs from the servers and create email alerts when the rate either drops or crosses a high watermark per hour. 

To do that I need to create a stat / variable appending the hostname and hourstamp such as

create_stat("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)') or

create_var("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)') 

Next I use the schedule code to detect a low watermark

 <Schedule>

        Every   3600 sec
        Exec    create_stat("rate" + '$Hostname' + 'stroftime($EventTimeStamp, something something)'', "RATE", 10); add_stat("rate" + '$Hostname'' + 'stroftime($EventTimeStamp, something something)', 0);
        Exec    log_info("Current Counts " + ":" + get_stat("rate" + '$Hostname'));
        Exec    if defined get_stat("rate" + '$Hostname') and get_stat("rate" + '$Hostname') <= 1 \
                { \
                    log_warning("No messages received from Host" ); \
                    exec_async("/bin/sh", "-c", 'echo "' + $Hostname + \
                           '"|/usr/bin/mail -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" '  \
                           + 'analyst@company.com' );                                                      \
                }
  </Schedule>

Two problems: How do I insert the variable/statistic name and value in the log message and how do I extract the hour stamp from the Event Time?

Thanks 

Ash 

PS: I could not get the deployment tool to work. have you had more success with it?