Splunk Search

Concurrency by minute by hour over 15 minute period

tnkoehn
Path Finder

Hopefully this is not too confusing. I need to know how many concurrent calls occurred during the last hour for each minute over the last 15 minutes.

For example, if the current time is 10:00 I would need the search to do this:

 time           from - to          concurrent calls
 -----          -------------      ----------------
 09:45          08:45 - 09:45      435
 09:46          08:46 - 09:46      438
.
.
10:00           09:00 - 10:00      421

I know how to use the transaction command to get concurrency, I just don't know how to get the concurrency for each minute looking backwards 1 hour. The results I would need would look like this:

_time         count
09:45:00      435
09:46:00      438
.
.
10:00:00      421

I tried this search, but it definitely is not what I need:

sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* CDR_Type!=ATTEMPT earliest=-15m | bucket _time span=1m | transaction Accounting_ID startswith="START" endswith="STOP" maxpause=3600| concurrency duration=duration | stats count by _time | head 15

Hope this isn't too confusing and thanks for any help.

Tags (1)

SK110176
Path Finder

I'm not sure I understand the reporting you're looking to present. Your search is just looking for data over the past 15 minutes, yet you're presenting a table that shows concurrent sessions by minute over the previous hour. I would think you'd want the reporting period in the table to match the time period for the search.

Using a transaction may be unnecessary since the STOP record has the fields you need to determine duration. Here's a search you can use with an explanation on search variables and functions:

sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* STOP earliest=-15m | strcat Start_Date " " Start_Time start | strcat Disconnect_Date " " Disconnect_Time end | convert auto(start) as start_time_secs | convert auto(end) as end_time_secs | eval start_time_secs=round(start_time_secs,0) | eval end_time_secs=round(end_time_secs,0) | eval dur=end_time_secs-start_time_secs | concurrency duration=dur start=start_time_secs | timechart span=1m max(concurrency) as "Concurrent Sessions"

1.) Base search:

sourcetype=Sonus Site=oma10 Ingress_TG_Name=ATT_0007* CDR_Type=STOP earliest=-15m

2a.) Concatenate values in "Start_Date" and "Start_Time" fields and call the new field "start"

| strcat Start_Date " " Start_Time start

2b.) Concatenate the "Disconnect_Date" and "Disconnect_Time" fields and call the new field "end"

| strcat Disconnect_Date " " Disconnect_Time end

3a.) Convert the "start" field to epoch seconds and call the resulting field "start_time_secs"

| convert auto(start) as start_time_secs

3b.) Convert the same with the "end" field and call the resulting field "end_time_secs":

| convert auto(end) as end_time_secs

4a.) Since the values in the "start_time_secs" field are in deciseconds, round to the nearest second:

| eval start_time_secs=round(start_time_secs,0)

4b.) Since the values in the "end_time_secs" field are in deciseconds, round to the nearest second:

| eval end_time_secs=round(end_time_secs,0)

5.) Subtract the "start_time_secs" from the "end_time_secs" and call the resulting field "dur":

| eval dur=end_time_secs-start_time_secs

6.) Use the concurrency command to calculate concurrency per second based on "dur":
| concurrency duration=dur start=start_time_secs

7.) Chart it to present peak concurrent sessions per minute, with 1-second granularity, over the past 15 minutes:

| timechart span=1m max(concurrency) as "Concurrent Sessions"

*** NOTE: You can simplify this a bit by using just the "Start_Date" + "Start_Time" + "Call_Duration" fields to determine duration if you do not want to include set-up and tear down of the sessions.

0 Karma

tnkoehn
Path Finder

Well, the first minute I would see 1, the 2nd minute I would see 2, the 3rd I would see 3, the 4th I would see 4, and the 5th minute I would see 5.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So, if we assume a call lasts five minutes and one starts every minute, would you be looking for a 5 as a result?

0 Karma

yannK
Splunk Employee
Splunk Employee

maybe not exactly based on the same format of data, but there is an approach here.

http://splunk-base.splunk.com/answers/69213/calculate-concurrency-of-transactions

martin_mueller
SplunkTrust
SplunkTrust

Indeed, that appears to be the same basic problem.

tnkoehn
Path Finder

Each call has a START record when it is answered and a STOP record when it ends. Calls generally do not last longer than 1 hour in duration. So for each minute, I want to look back thru the past hour and find out how many calls were going on simultaneously.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you're looking at one minute, how do you define (in non-splunk terms) the number of concurrent calls during the previous hour?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...