Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a field with a value repeated a number of times when the number of time comes from another field - to get around concurrency limitation

fere
Path Finder
‎12-13-2012 11:34 AM

Hi,
I am trying to implement our requirement for "concurrency".

Lets say we want to measure user concurrency every 5 minutes. I need to create transactions that represent user sessions. Then based on the session duration, if I create a multivalue field having "|xxx|" duration/5 min times, then I can do mvexpand and then I can apply the Splunk's Concurrency command to generate the result we are looking for.
ex. if a transaction has duration 20 minutes, then I want to create a field with value "xxx|xxx|xxx|xxx|" for that trans and convert that to a multivalue , and then do mvexpand. I think I will end up with 4 individual events and I can assign duration of 5 mins to each and then let the Splunk Concurrency command calculate the counts.
That also requires that it would be possible to adjust the value of the _time on the events created by mvexpand, so that there are 4 events each starting within 5 minustes of another one. Is that possible?
Thanks,
Fereshteh

0 Karma
Reply

jonuwz
Influencer
‎12-14-2012 07:05 AM

I'd take a slightly different approach, and generate 'false' sessions 5 minutes apart and use them as markers to calculate the concurrency.

i.e.

if ... represents a search that populates '_time' and 'duration' used for concurrency

... | append [ 
        search * | head 1 | addinfo 
        | eval info_min_time=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") 
        | eval info_max_time=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") 
        | map search="| gentimes start=$info_min_time$ end=$info_max_time$ increment=5m 
                      | eval _time=starttime 
                      | eval duration=0 
                      | eval marker=1
                      | fields _time duration marker" ] 
    | concurrency duration=duration start=_time 
    | where marker=1 
    | eval concurrency=concurrency-1
    | table _time concurrency

everything in the append [] block is just a trick to create a sequence of times that match your search time range

the important thing is that the generated times have a hardcoded duration=0, marker=1 and a _time that is 5 minutes apart from the last one

So now you can do your concurrency and filter out only the events that snap to your markers.
(and subtract 1 because you've included the fake session marker)

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...