but how to build a list of thread names and how the list changes over time?
example:
time | thread names
1h | a,b
2h | a,b,c
3H | a
...

Thank you!

It was exactly what i was looking for! It worked like a charm and i could calculate the count.

But, out of curiosity and naughtiness: how to not just count using concurrency command, but how to build a list?

You could try something like

... | stats values(thread_name) as threads by start

thank you, but what if i want to know how the list changes over time?

Try this

... | bin span=1h start | stats values(thread_name) as threads count(thread_name) as count by start

this would give the names and a count of threads, which have started (or have any event) in each hour. but what if a thread has started before an hour and did not stop and did not emit any events in the log. it would not be counted.

You best bet is to use the concurrency command to get accurate results. Having said that, this will give you everything that started within the hour. This will not give you events that overlap hours. So if it starts at 11:00 and ends at 12:15, will be counted in the 11:00 hr. count

how to list a thread name in the 12:00 hr, if it starts at 11:00 and ends at 13:15? that is the question.

Try something like this (you'll have to tweak it)

... | eval range=mvrange(start, end, "1h") | mvexpand range | bin span=1h range | stats values(thread_name) as threads count(thread_name) as count by range

that is the magic! thanks! and not so hard after all. should be put in the toolbox for severe cases like that. accepted with gratitude. thank you!