- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to get number of concurrent sessions per m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
How to get number of concurrent sessions per minute. My transaction started with beginning session and ends with ending session
for example
my first transaction started at 12-3-2015 10:01:00, second transaction started at 12-3-2015 10:01:10, third transaction started at 12-3-2015 10:01:35, fourth transaction started at 12-3-2015 10:02:15, fifth transaction started at 12-3-2015 10:02:40
My second transaction ended at 12-3-2015 10:01:50
I want my output like
12-3-2015 10:01:00 - number of transactions 3
12-3-2015 10:02:00 - Number of transactions 4 (second transaction completed in last minute only thats why I excluded that in next minute)
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try like this:
...| transaction startswith="beginning session" endswith="ending session" |bucket span=1m _time|stats count as "number of transactions" by _time
or
...| transaction startswith="beginning session " endswith="ending session " | timechart per_minute(eval(count)) as "number of transactions"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try like this:
...| transaction startswith="beginning session" endswith="ending session" |bucket span=1m _time|stats count as "number of transactions" by _time
or
...| transaction startswith="beginning session " endswith="ending session " | timechart per_minute(eval(count)) as "number of transactions"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi here is something for you.
1.
source="" | transaction startswith="beginning session "
endswith="ending session " |timechart count span=1m as
"number of transactions"
However if this returns more than 50,000 results it
wont work and it'll return that bucketing error.
OR
2.
source="" | transaction startswith="beginning session "
endswith="ending session " |eval count=1
| timechart per_minute (count) as
"number of transactions"
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
