Splunk Search

What is the best way to show sparse concurrent transaction counts?

zentish
New Member

I'm trying to report on concurrent SSL VPN sessions over time on an F5 APM device. I've defined the fields and the transaction I need. These are long lived sessions where hours can go by without the creation of new transactions.

apd OR tmm | transaction name=apm_session | concurrency duration=duration | timechart count(concurrency) by apm_client_platform

This seems to show me what I'm after but doesn't show any concurrency late at night when sessions aren't doing anything but ending. Is there any way to get a more accurate concurrency count?

Thanks!

Tags (1)
0 Karma

steveyz
Splunk Employee
Splunk Employee

If you have a seperate event for session start and session end, you can do the following. Assuming that you extract a field 'type' that can take on either "START" or "STOP".

apd OR tmm | eval count = if(type="START",1,-1) | sort + _time | accum count as concurrency | timechart max(concurrency)

araitz
Splunk Employee
Splunk Employee

I can't see how you have defined the transaction "apm_transaction", so I will assume that the above search will produce results wherein the start time of the transaction is a log in event.

If that is the case, then the above search will show you how many events occurred simultaneously with a log in event on your SSL VPN, as the "count(concurrency)" will just show you how many times, for example, "concurrency=1" occurred in an event.

Forgive me if I am being dense - perhaps I just need a bit more information.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...