I'm trying to report on concurrent SSL VPN sessions over time on an F5 APM device. I've defined the fields and the transaction I need. These are long lived sessions where hours can go by without the creation of new transactions.
apd OR tmm | transaction name=apm_session | concurrency duration=duration | timechart count(concurrency) by apm_client_platform
This seems to show me what I'm after but doesn't show any concurrency late at night when sessions aren't doing anything but ending. Is there any way to get a more accurate concurrency count?
Thanks!
If you have a seperate event for session start and session end, you can do the following. Assuming that you extract a field 'type' that can take on either "START" or "STOP".
apd OR tmm | eval count = if(type="START",1,-1) | sort + _time | accum count as concurrency | timechart max(concurrency)
I can't see how you have defined the transaction "apm_transaction", so I will assume that the above search will produce results wherein the start time of the transaction is a log in event.
If that is the case, then the above search will show you how many events occurred simultaneously with a log in event on your SSL VPN, as the "count(concurrency)" will just show you how many times, for example, "concurrency=1" occurred in an event.
Forgive me if I am being dense - perhaps I just need a bit more information.