Solved: How to visualize a sum of simultaneous occurring e...

adacpt · ‎07-07-2016

Hello,

I have a series of events with a JoinTime field and a LeaveTime field. Each of these events essentially represents the duration of time that a video call was in progress.

I want to do a line graph that represents the total number of calls that were simultaneously in progress over a 24 hour time period with a span of one hour.

So, essentially, I need to create a search that looks at an event and evaluates whether it was in progress at a time of, for example, 2:00 pm and add that to the total number of other events where active at that time. Then do the same for 3:00 pm, 4:00 pm, etc, etc.

Finally, towards the end of the time period, there will be some events that have no value for LeaveTime. Those are active calls and need to be added to the sum for that time period, but don’t necessarily fit into the same logic as the calls that have a specific end time

Any help that the community has is greatly appreciated.

Thanks!

woodcock · ‎07-07-2016

You need the concurrency command:

https://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Concurrency

View solution in original post

sundareshr · ‎07-07-2016

You could try the transaction command

... | transaction call_id startswith=joinTIme endswith=leaveTime keepevicted=t | ...

if you have Splunk v6.4 you can then use the timeline app to visualize this on a chart
https://splunkbase.splunk.com/app/3120/

woodcock · ‎07-07-2016

You need the concurrency command:

https://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Concurrency

adacpt · ‎07-11-2016

Thanks, woodcock.

What I ended up doing was creating a scheduled search to store the number of active calls in a summary index. Then I'm able to create simple search on the summary index which gives me the results I'm looking for.

I really appreciate the help, though. Thanks for taking the time.

adacpt · ‎07-08-2016

That's definitely the route I'm trying to take, but the issue seems to be that Splunk is not counting results that occur over multiple time periods. For example, if a call started at 11:20 and ended at 12:15, it should go towards the count for 11:00, 11:30 and 12:00 if I'm measuring in half hour spans. What seems to be happening, though is that it's only counting towards the period where the call ends, i.e. 12:00. Here is my search, am I missing something:

source=vtc_cdr
| transaction CallID
| delta _time AS timeDelta p=1 
| eval timeDelta=abs(timeDelta) 
| concurrency duration=timeDelta 
| eval timeDelta=tostring(timeDelta,"duration")
| timechart span=30m count

woodcock · ‎07-08-2016

It doesn't work like that. In order to do that you will have to use makeresults to create a continuous series of exactly-half-hour-duration events that begin and start exactly on the half-hour and hour. Then you can check the concurrency value for each one of these events to get the concurrency for that portion of the hour (plus 1, so you will have to subtract 1 from each value to remove your fake event).

https://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Makeresults

somesoni2 · ‎07-07-2016

Sample events please.

How to visualize a sum of simultaneous occurring events in a timechart with a start_time and stop_time?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life