Given the log events, containing time, name of thread and whether the thread has started or stopped :
_time , thread_name, start/end
How to build a list of thread names that a currently running?
so to sum up:
1. | concurrency - for counts
2. | eval range=mvrange(start, end, "1h") | mvexpand range | bin span=1h range | stats values(thread_name) as threads count(thread_name) as count by range - for lists, to build missing event entries in time
Just putting this in as an answer - https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Concurrency
but how to build a list of thread names and how the list changes over time?
example:
time | thread names
1h | a,b
2h | a,b,c
3H | a
...
Have you looked at this
https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Concurrency
Thank you!
It was exactly what i was looking for! It worked like a charm and i could calculate the count.
But, out of curiosity and naughtiness: how to not just count using concurrency command, but how to build a list?
You could try something like
... | stats values(thread_name) as threads by start
thank you, but what if i want to know how the list changes over time?
Try this
... | bin span=1h start | stats values(thread_name) as threads count(thread_name) as count by start
this would give the names and a count of threads, which have started (or have any event) in each hour. but what if a thread has started before an hour and did not stop and did not emit any events in the log. it would not be counted.
You best bet is to use the concurrency
command to get accurate results. Having said that, this will give you everything that started within the hour. This will not give you events that overlap hours. So if it starts at 11:00 and ends at 12:15, will be counted in the 11:00 hr. count
how to list a thread name in the 12:00 hr, if it starts at 11:00 and ends at 13:15? that is the question.
Try something like this (you'll have to tweak it)
... | eval range=mvrange(start, end, "1h") | mvexpand range | bin span=1h range | stats values(thread_name) as threads count(thread_name) as count by range
that is the magic! thanks! and not so hard after all. should be put in the toolbox for severe cases like that. accepted with gratitude. thank you!