Splunk Search

What is the best way to show sparse concurrent transaction counts?

zentish
New Member

I'm trying to report on concurrent SSL VPN sessions over time on an F5 APM device. I've defined the fields and the transaction I need. These are long lived sessions where hours can go by without the creation of new transactions.

apd OR tmm | transaction name=apm_session | concurrency duration=duration | timechart count(concurrency) by apm_client_platform

This seems to show me what I'm after but doesn't show any concurrency late at night when sessions aren't doing anything but ending. Is there any way to get a more accurate concurrency count?

Thanks!

Tags (1)
0 Karma

steveyz
Splunk Employee
Splunk Employee

If you have a seperate event for session start and session end, you can do the following. Assuming that you extract a field 'type' that can take on either "START" or "STOP".

apd OR tmm | eval count = if(type="START",1,-1) | sort + _time | accum count as concurrency | timechart max(concurrency)

araitz
Splunk Employee
Splunk Employee

I can't see how you have defined the transaction "apm_transaction", so I will assume that the above search will produce results wherein the start time of the transaction is a log in event.

If that is the case, then the above search will show you how many events occurred simultaneously with a log in event on your SSL VPN, as the "count(concurrency)" will just show you how many times, for example, "concurrency=1" occurred in an event.

Forgive me if I am being dense - perhaps I just need a bit more information.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...