Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate concurrent transactions grouped with a particular field

Krishna_R
Path Finder
‎09-27-2010 03:51 AM

Hi,

We have a centralized log from an application which reports activities on multiple hosts in a single log file.

Simplified, the log looks like below:

<time-stamp> : <host-name> : Started process pid = ...
<time-stamp> : <host-name> : Process pid = ... completed with status [...]

I would like to list the concurrent processes on each host at any time.

I have the following query to group into transactions, which gives the expected results with the duration. 

| transaction hostname pid startswith=...

If I add the concurrency as "| concurrency duration=duration", the concurrency field populated has the concurrent processes as a whole and not for each hostname.

From the docs, I dont see any way to specify grouping field(s) for 'concurrency'. Is there any option to specify the same? Or can I get the expected report thru some other mechanism.

Thanks,

Krishna

Reply
1 Solution
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎09-27-2010 10:12 PM

If you just want the concurrency number, and not a list of the actual pids active at any one time, you can do the following (don't do trasnaction first)

... | eval counter = if(searchmatch("Started process"),1,-1) | sort 0 + _time | streamstats sum(counter) as concurrency by hostname

At which point you will have a 'concurrency' field for each event that represents the number of active pids at the time of that event (or rather at a time right after that event since it will count the effect of that event itself)

You can then doing something like | timechart max(concurrency) by hostname

View solution in original post

Reply
Solved! Jump to solution

bischofk
New Member
‎11-16-2012 10:12 AM

I have the exact same problem. Being able to add the "by" clause for concurrency would be ideal....this is really messy.

0 Karma
Reply
Solved! Jump to solution

Krishna_R
Path Finder
‎10-10-2010 07:28 AM

Hi Steve,

Sorry for the really late response. I found that the query you gave (using streamstats and by clause) works, but as you mentioned, it is only useful when I dont need the values.

I have two use-cases, 1) populate a graph report in the dashboard 2) results of the same to be inspected.

Item #2 is still open since concurrency does not have a 'by' clause. Currently, the only way is to filter by hostname ahead and pipe it to transaction (which does not serve the purpose of giving a system level view)

Do you agree if this can be a feature request, or there's some other way one should treat my requirement.

0 Karma
Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎09-27-2010 10:12 PM

If you just want the concurrency number, and not a list of the actual pids active at any one time, you can do the following (don't do trasnaction first)

... | eval counter = if(searchmatch("Started process"),1,-1) | sort 0 + _time | streamstats sum(counter) as concurrency by hostname

At which point you will have a 'concurrency' field for each event that represents the number of active pids at the time of that event (or rather at a time right after that event since it will count the effect of that event itself)

You can then doing something like | timechart max(concurrency) by hostname

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...