Hopefully this is not too confusing. I need to know how many concurrent calls occurred during the last hour for each minute over the last 15 minutes.
For example, if the current time is 10:00 I would need the search to do this:
time from - to concurrent calls
----- ------------- ----------------
09:45 08:45 - 09:45 435
09:46 08:46 - 09:46 438
.
.
10:00 09:00 - 10:00 421
I know how to use the transaction command to get concurrency, I just don't know how to get the concurrency for each minute looking backwards 1 hour. The results I would need would look like this:
_time count
09:45:00 435
09:46:00 438
.
.
10:00:00 421
I tried this search, but it definitely is not what I need:
sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* CDR_Type!=ATTEMPT earliest=-15m | bucket _time span=1m | transaction Accounting_ID startswith="START" endswith="STOP" maxpause=3600| concurrency duration=duration | stats count by _time | head 15
Hope this isn't too confusing and thanks for any help.
I'm not sure I understand the reporting you're looking to present. Your search is just looking for data over the past 15 minutes, yet you're presenting a table that shows concurrent sessions by minute over the previous hour. I would think you'd want the reporting period in the table to match the time period for the search.
Using a transaction may be unnecessary since the STOP record has the fields you need to determine duration. Here's a search you can use with an explanation on search variables and functions:
sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* STOP earliest=-15m | strcat Start_Date " " Start_Time start | strcat Disconnect_Date " " Disconnect_Time end | convert auto(start) as start_time_secs | convert auto(end) as end_time_secs | eval start_time_secs=round(start_time_secs,0) | eval end_time_secs=round(end_time_secs,0) | eval dur=end_time_secs-start_time_secs | concurrency duration=dur start=start_time_secs | timechart span=1m max(concurrency) as "Concurrent Sessions"
1.) Base search:
sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* CDR_Type=STOP earliest=-15m
2a.) Concatenate values in "Start_Date" and "Start_Time" fields and call the new field "start"
| strcat Start_Date " " Start_Time start
2b.) Concatenate the "Disconnect_Date" and "Disconnect_Time" fields and call the new field "end"
| strcat Disconnect_Date " " Disconnect_Time end
3a.) Convert the "start" field to epoch seconds and call the resulting field "start_time_secs"
| convert auto(start) as start_time_secs
3b.) Convert the same with the "end" field and call the resulting field "end_time_secs":
| convert auto(end) as end_time_secs
4a.) Since the values in the "start_time_secs" field are in deciseconds, round to the nearest second:
| eval start_time_secs=round(start_time_secs,0)
4b.) Since the values in the "end_time_secs" field are in deciseconds, round to the nearest second:
| eval end_time_secs=round(end_time_secs,0)
5.) Subtract the "start_time_secs" from the "end_time_secs" and call the resulting field "dur":
| eval dur=end_time_secs-start_time_secs
6.) Use the concurrency command to calculate concurrency per second based on "dur":
| concurrency duration=dur start=start_time_secs
7.) Chart it to present peak concurrent sessions per minute, with 1-second granularity, over the past 15 minutes:
| timechart span=1m max(concurrency) as "Concurrent Sessions"
*** NOTE: You can simplify this a bit by using just the "Start_Date" + "Start_Time" + "Call_Duration" fields to determine duration if you do not want to include set-up and tear down of the sessions.
Well, the first minute I would see 1, the 2nd minute I would see 2, the 3rd I would see 3, the 4th I would see 4, and the 5th minute I would see 5.
So, if we assume a call lasts five minutes and one starts every minute, would you be looking for a 5 as a result?
maybe not exactly based on the same format of data, but there is an approach here.
http://splunk-base.splunk.com/answers/69213/calculate-concurrency-of-transactions
Indeed, that appears to be the same basic problem.
Each call has a START record when it is answered and a STOP record when it ends. Calls generally do not last longer than 1 hour in duration. So for each minute, I want to look back thru the past hour and find out how many calls were going on simultaneously.
If you're looking at one minute, how do you define (in non-splunk terms) the number of concurrent calls during the previous hour?