Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Concurrency by minute by hour over 15 minute period

tnkoehn
Path Finder
‎02-01-2013 01:41 PM

Hopefully this is not too confusing. I need to know how many concurrent calls occurred during the last hour for each minute over the last 15 minutes.

For example, if the current time is 10:00 I would need the search to do this:

 time           from - to          concurrent calls
 -----          -------------      ----------------
 09:45          08:45 - 09:45      435
 09:46          08:46 - 09:46      438
.
.
10:00           09:00 - 10:00      421

I know how to use the transaction command to get concurrency, I just don't know how to get the concurrency for each minute looking backwards 1 hour. The results I would need would look like this:

_time         count
09:45:00      435
09:46:00      438
.
.
10:00:00      421

I tried this search, but it definitely is not what I need:

sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* CDR_Type!=ATTEMPT earliest=-15m | bucket _time span=1m | transaction Accounting_ID startswith="START" endswith="STOP" maxpause=3600| concurrency duration=duration | stats count by _time | head 15

Hope this isn't too confusing and thanks for any help.

Tags (1)
Reply

SK110176
Path Finder
‎02-12-2013 08:53 AM

I'm not sure I understand the reporting you're looking to present. Your search is just looking for data over the past 15 minutes, yet you're presenting a table that shows concurrent sessions by minute over the previous hour. I would think you'd want the reporting period in the table to match the time period for the search.

Using a transaction may be unnecessary since the STOP record has the fields you need to determine duration. Here's a search you can use with an explanation on search variables and functions:

sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* STOP earliest=-15m | strcat Start_Date " " Start_Time start | strcat Disconnect_Date " " Disconnect_Time end | convert auto(start) as start_time_secs | convert auto(end) as end_time_secs | eval start_time_secs=round(start_time_secs,0) | eval end_time_secs=round(end_time_secs,0) | eval dur=end_time_secs-start_time_secs | concurrency duration=dur start=start_time_secs | timechart span=1m max(concurrency) as "Concurrent Sessions"

1.) Base search:

sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* CDR_Type=STOP earliest=-15m

2a.) Concatenate values in "Start_Date" and "Start_Time" fields and call the new field "start"

| strcat Start_Date " " Start_Time start

2b.) Concatenate the "Disconnect_Date" and "Disconnect_Time" fields and call the new field "end"

| strcat Disconnect_Date " " Disconnect_Time end

3a.) Convert the "start" field to epoch seconds and call the resulting field "start_time_secs"

| convert auto(start) as start_time_secs

3b.) Convert the same with the "end" field and call the resulting field "end_time_secs":

| convert auto(end) as end_time_secs

4a.) Since the values in the "start_time_secs" field are in deciseconds, round to the nearest second:

| eval start_time_secs=round(start_time_secs,0)

4b.) Since the values in the "end_time_secs" field are in deciseconds, round to the nearest second:

| eval end_time_secs=round(end_time_secs,0)

5.) Subtract the "start_time_secs" from the "end_time_secs" and call the resulting field "dur":

| eval dur=end_time_secs-start_time_secs

6.) Use the concurrency command to calculate concurrency per second based on "dur":
| concurrency duration=dur start=start_time_secs

7.) Chart it to present peak concurrent sessions per minute, with 1-second granularity, over the past 15 minutes:

| timechart span=1m max(concurrency) as "Concurrent Sessions"

*** NOTE: You can simplify this a bit by using just the "Start_Date" + "Start_Time" + "Call_Duration" fields to determine duration if you do not want to include set-up and tear down of the sessions.

0 Karma
Reply

tnkoehn
Path Finder
‎02-04-2013 09:44 AM

Well, the first minute I would see 1, the 2nd minute I would see 2, the 3rd I would see 3, the 4th I would see 4, and the 5th minute I would see 5.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2013 09:21 AM

So, if we assume a call lasts five minutes and one starts every minute, would you be looking for a 5 as a result?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-04-2013 08:01 AM

maybe not exactly based on the same format of data, but there is an approach here.

http://splunk-base.splunk.com/answers/69213/calculate-concurrency-of-transactions

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2013 10:42 AM

Indeed, that appears to be the same basic problem.

Reply

tnkoehn
Path Finder
‎02-04-2013 07:48 AM

Each call has a START record when it is answered and a STOP record when it ends. Calls generally do not last longer than 1 hour in duration. So for each minute, I want to look back thru the past hour and find out how many calls were going on simultaneously.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-01-2013 03:36 PM

If you're looking at one minute, how do you define (in non-splunk terms) the number of concurrent calls during the previous hour?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...