Question
Hey there,
I'm a beginner with Splunk and have questions about timechart
and _time
variable. Here is my situation:
2013-01-29T09:12:27.010175+00:00 172.21.1.1 local5.notice<173> 16099: GW: Jan 29 09:12:26.963: %X25-5-CALL_RECORD: Start=09:12:25.887 UTC Tue Jan 29 2013, End=09:12:26.963 UTC Tue Jan 29 2013, Rotary-number=1, Clear-cause=0
I've got a log file with an indexed _time
value which I don't care.
I need to count the number of concurrent sessions per second, with the following constraints :
Start
time and End
time fields. Consequently, transaction
keyword seems to be useless.My tests
For testing purposes I managed to convert times to epoch format, and compute the duration:
...
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval duration=etime-stime
Concurrency
with my duration
appears not to be working because it still uses log time.
I tried to use the keyword transaction
with startswith=stime
endswith=etime
without results, and with TransacID as Session identifier but I think it is useless
...
| rex field=_raw ".>\s+(?<TransacID>\d+):."
Finaly my complete search:
source="log" %X25-5-CALL_RECORD
| rex field=_raw ".>\s+(?<Transacid>\d+):."
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval _time=stime
| timechart span=1s count(eval(stime<=(_time) AND (_time)<=etime)) as InTimeRange by Rotary_number
The diffulty is that I need to get rid of the indexed log time to use concurrency
or timechart
. that's why I used
| eval _time=stime
.
I actually want to use timechart's abscissa and compare it each second...
I first though it was working but values are not correct, there should be much more concurrent sessions. This may be a dimension confusion between "tables" of data, and variable names that identify a single value in a single line.
Can someone help me with this case?
Thanks by advance
take a look at this answer http://splunk-base.splunk.com/answers/69213/calculate-concurrency-of-transactions
it contains the last part you need.
Well, I already tried this but it didn't work
maybe an error in my search, the makecontinuous needs a field, so it should be the time.
by example
| makecontinuous _time span=10m
Well, I still need some more help. Here is the last part of my request:
...
| eval timeconcat="myStart=".stime." myEnd=".etime"
| eval timemv=split(timeconcat," ")
| mvexpand timemv
| rex field=timemv "(?<_time>\d+.\d+)"
| transaction TransacID
| concurrency duration=duration
| timechart span=1s max(concurrency) by Rotary_number
I get the good values (that's a very good point, thank you yannK) but there are plenty of gaps. I need to fill them, but don't understand how to do it.
I tried:
| bucket _time span=1s
| makecontinuous
This didn't work. Can someone help me? 🙂
Ok great!
Thanks to the mvexpand instruction + transaction + concurrency, I managed to come to the same situation as your initial post when you had holes in you chart. I'll try hard to understand the whole solution you gave, and adapt it to my graph. I'll let you know when it's done.
Thanks a lot!