topic Re: Concurrency by .................... in Splunk Search

Concurrency by ....................

KarunK — Mon, 25 Jun 2012 02:38:32 GMT

Hi All,

I have stream logs for five channels (currently may be more in future) and I need to calculate the concurrency of each channels. Any idea how to do it ?

Currently I do individual searches for each channels.

For eg:...

sourcetype="stream_logs" *ch_101* | concurreny duration=x_duration | timechart span=5min max(concurrency)

sourcetype="stream_logs" *ch_102* | concurreny duration=x_duration | timechart span=5min max(concurrency)

............................... etc

I want do it in one single search.

Thanks in advance.

Regards

kkn

Re: Concurrency by ....................

lguinn2 — Mon, 25 Jun 2012 04:51:20 GMT

Try this

sourcetype="stream_logs" *ch_101*  OR *ch_102* OR *ch_103*
| rex "(?P<channel>ch_\d{3})"
| concurreny duration=x_duration 
| timechart span=5min max(concurrency) by channel

The above assumes that there is no field for the channel already defined. If there is a field already, you could use it instead of the rex command. Also, if you don't want to put in a whole series of "ORs", you could try this

sourcetype="stream_logs" *ch_* 
| regex _raw=".*ch_\d{3}.*"
| rex "(?P<channel>ch_\d{3})"
| concurreny duration=x_duration 
| timechart span=5min max(concurrency) by channel

The regex command will select only events that have the pattern ch_DDD where DDD is any 3 digits.

Re: Concurrency by ....................

KarunK — Mon, 16 Jul 2012 23:23:03 GMT

Hi,

Thanks for your reply. This wont work as when the concurrency is calculated, the field "concurrency" considers all five channels streaming simultaneously. To be precise if the five channels are streaming (say ch1 to ch5), the above search result will give concurrency of five. But actually the concurrency should be "1" for each individual channels, which is what I want. So time charting the field concurrency wont provide the concurrency for individual channels requests.

Thanks

Regards

Re: Concurrency by ....................

assaphmehr — Wed, 18 Jul 2012 04:11:30 GMT

Looks like this would be an awesome feature request...

Re: Concurrency by ....................

JeToJedno — Thu, 06 Apr 2017 10:18:39 GMT

I had the same problem, and came up with a cludge to work it. In your case, something like:

sourcetype="stream_logs" *ch_* 
  | rex "(?P<channel>ch_\d{3})"
  | appendpipe [ where channel="ch101" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
  | appendpipe [ where channel="ch102" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
  | appendpipe [ where channel="ch103" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
  | appendpipe [ where channel="ch104" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
  | appendpipe [ where channel="ch105" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
  | timechart span=5min max(concurrency) BY channel

This is nasty, and needs editing every time there's a new channel, but it works.

You can add a catch-all appendpipe for concurrency for anything not otherwise identified (good for detecting change in the number of channels), or a where line to drop anything which doesn;t have a concurrency, or a stats line to merge the concurrencies back into the transaction they're from (or add more fields into the table commands).

It would be much better if there was a *concurrency ... BY * command

Re: Concurrency by ....................

cmerriman — Thu, 06 Apr 2017 14:34:57 GMT

i used this answers to get a concurrency by syntax:
https://answers.splunk.com/answers/153299/bulletproof-approach-for-charting-concurrency-with-split-by-field.html

i tweaked mine a bit, using timechart span=1h limit=0. the data i had, the first approach was perfect, as I wasn't missing any major gaps to have a problem with filldown.

Re: Concurrency by ....................

eregon — Mon, 01 Jul 2019 13:19:46 GMT

The link is not working anymore and I was not able to find that answer by keywords anymore. Does anyone have a working link, by any chance?