Hi,
I am trying to implement our requirement for "concurrency".
Lets say we want to measure user concurrency every 5 minutes. I need to create transactions that represent user sessions. Then based on the session duration, if I create a multivalue field having "|xxx|" duration/5 min times, then I can do mvexpand and then I can apply the Splunk's Concurrency command to generate the result we are looking for.
ex. if a transaction has duration 20 minutes, then I want to create a field with value "xxx|xxx|xxx|xxx|" for that trans and convert that to a multivalue , and then do mvexpand. I think I will end up with 4 individual events and I can assign duration of 5 mins to each and then let the Splunk Concurrency command calculate the counts.
That also requires that it would be possible to adjust the value of the _time on the events created by mvexpand, so that there are 4 events each starting within 5 minustes of another one. Is that possible?
Thanks,
Fereshteh
I'd take a slightly different approach, and generate 'false' sessions 5 minutes apart and use them as markers to calculate the concurrency.
i.e.
if ... represents a search that populates '_time' and 'duration' used for concurrency
... | append [
search * | head 1 | addinfo
| eval info_min_time=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S")
| eval info_max_time=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S")
| map search="| gentimes start=$info_min_time$ end=$info_max_time$ increment=5m
| eval _time=starttime
| eval duration=0
| eval marker=1
| fields _time duration marker" ]
| concurrency duration=duration start=_time
| where marker=1
| eval concurrency=concurrency-1
| table _time concurrency
everything in the append [] block is just a trick to create a sequence of times that match your search time range
the important thing is that the generated times have a hardcoded duration=0, marker=1 and a _time that is 5 minutes apart from the last one
So now you can do your concurrency and filter out only the events that snap to your markers.
(and subtract 1 because you've included the fake session marker)