https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153701#M185637 <P>OK. Everything before the last line in your question <CODE>| stats count(concurrency) by concurrency</CODE> is from our previous question over at <A href="http://answers.splunk.com/answers/227393/how-to-use-the-concurrency-command-to-timechart-th.html">http://answers.splunk.com/answers/227393/how-to-use-the-concurrency-command-to-timechart-th.html</A> so this is really more concerned with looking at a "frequency distribution of concurrency", not the nuts and bolts of how that concurrency is calculated. </P> <P>Using <CODE>| stats count by concurrency</CODE> like you are here will produce results that look like what you want, but it'll be an extremely misleading visualization. The reason is that the rows coming into the stats command are all either the start time or the end time of a call. There is no representation for the time in between these points. </P> <P>To see why this is a problem, let's look at a specific situations. Let's analyze a time period from 1pm to 2pm. Say we have 5 calls that all start right at 1pm and that are each 15 minutes long. Thinking about this, we want to ultimately see some frequency distribution with a lot of concurrency=0, and a fair bit of concurrency=5. </P> <P>However let's pipe such a set into <CODE>| stats count by concurrency</CODE>. It will give us a distribution but it turns out that concurrency=0 will have a value of 1, then every value of concurrency from 1 to 4 will have a value of 2, then concurrency=5 will have a value of 1. This doesn't seem to match our expectations very well. </P> <P>Then if we consider 5 other calls that start at 2pm but that are each only 1 minute long. The <CODE>stats count by concurrency</CODE> output here will be exactly the same as it was for the first calls. If we consider a time period that covers both sets of calls, it'll be the same chart with all y-axis values doubled. o_O</P> <P>Instead I think it makes more sense to analyze some discrete unit of time like minutes or seconds, and look at the distribution of concurrency values for each sourceip <EM>across all the time periods</EM>. </P> <P>Here in the search below I'm telling timechart to use not 1 second but rather 15 minutes as our bucket size but it's up to you. The search language looks a lot like what we did in the last question except at the end we have an extra <CODE>untable</CODE> and <CODE>stats</CODE> command. </P> <PRE><CODE>... all the stuff before up to | eval concurrency = if(increment==-1, post_concurrency+1, post_concurrency) | timechart span=15min max(concurrency) as max_concurrency last(post_concurrency) as last_concurrency by sourceip limit=20 | filldown last_concurrency* | foreach "max_concurrency: *" [eval &lt;&lt;MATCHSTR&gt;&gt;=coalesce('max_concurrency: &lt;&lt;MATCHSTR&gt;&gt;','last_concurrency: &lt;&lt;MATCHSTR&gt;&gt;')] | fields - last_concurrency* max_concurrency* | untable _time sourceip concurrency | chart count over concurrency by sourceip </CODE></PRE> <P>That search above will analyze all the 15 minute periods for each sourceip, and give you a frequency distribution for each sourceip value, and graph them all as separate lines on the same frequency distribution chart. </P> <P>If instead you want to just see a single overarching frequency distribution of "per-sourceip concurrency", replace that last <CODE>chart</CODE> command with our old friend, {drum fill} <CODE>| stats count by concurrency</CODE>. </P> Wed, 22 Apr 2015 04:19:42 GMT sideview 2015-04-22T04:19:42Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153699#M185635 <P>I have the following event that needs to calculate concurrency distribution:</P> <P>Event, starttime=yyyy-mm-dd hh:mm:ss, duration=, sourceip=a.b.c.d</P> <P>| rex "duration=(?.*?),"<BR /><BR /> | eval StartTime=round(strptime(startTime,"%Y-%m-%dT%H:%M:%SZ"),0)<BR /> |eval _time=StartTime<BR /> | eval increment = mvappend("1","-1")<BR /> | mvexpand increment<BR /> | eval _time = if(increment==1, _time, _time + Duration)<BR /> | sort 0 + _time<BR /> | fillnull sourceip value="NULL"<BR /> | streamstats sum(increment) as post_concurrency by sourceip<BR /> | eval concurrency = if(increment==-1, post_concurrency+1, post_concurrency)<BR /> | stats count(concurrency) by concurrency </P> <P>I want to take a look at the concurrency distribution to find out if it is matching a z-distribution. </P> <P>It seems giving me the data I want, but would like to get your opinion. I am not sure of the granularity of concurrency here, was it count it by second? Both StartTime and Duration are down to second.</P> <P>Is there a way to make concurrency as x-Axis, and count(concurrency) as y-Axis?</P> <P>Thanks,</P> Mon, 28 Sep 2020 19:36:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153699#M185635 jgcsco 2020-09-28T19:36:41Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153700#M185636 <P>I have posted another related question at </P> <P><A href="http://answers.splunk.com/answers/227393/how-to-use-the-concurrency-command-to-timechart-th.html">http://answers.splunk.com/answers/227393/how-to-use-the-concurrency-command-to-timechart-th.html</A></P> Tue, 21 Apr 2015 23:43:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153700#M185636 jgcsco 2015-04-21T23:43:40Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153701#M185637 <P>OK. Everything before the last line in your question <CODE>| stats count(concurrency) by concurrency</CODE> is from our previous question over at <A href="http://answers.splunk.com/answers/227393/how-to-use-the-concurrency-command-to-timechart-th.html">http://answers.splunk.com/answers/227393/how-to-use-the-concurrency-command-to-timechart-th.html</A> so this is really more concerned with looking at a "frequency distribution of concurrency", not the nuts and bolts of how that concurrency is calculated. </P> <P>Using <CODE>| stats count by concurrency</CODE> like you are here will produce results that look like what you want, but it'll be an extremely misleading visualization. The reason is that the rows coming into the stats command are all either the start time or the end time of a call. There is no representation for the time in between these points. </P> <P>To see why this is a problem, let's look at a specific situations. Let's analyze a time period from 1pm to 2pm. Say we have 5 calls that all start right at 1pm and that are each 15 minutes long. Thinking about this, we want to ultimately see some frequency distribution with a lot of concurrency=0, and a fair bit of concurrency=5. </P> <P>However let's pipe such a set into <CODE>| stats count by concurrency</CODE>. It will give us a distribution but it turns out that concurrency=0 will have a value of 1, then every value of concurrency from 1 to 4 will have a value of 2, then concurrency=5 will have a value of 1. This doesn't seem to match our expectations very well. </P> <P>Then if we consider 5 other calls that start at 2pm but that are each only 1 minute long. The <CODE>stats count by concurrency</CODE> output here will be exactly the same as it was for the first calls. If we consider a time period that covers both sets of calls, it'll be the same chart with all y-axis values doubled. o_O</P> <P>Instead I think it makes more sense to analyze some discrete unit of time like minutes or seconds, and look at the distribution of concurrency values for each sourceip <EM>across all the time periods</EM>. </P> <P>Here in the search below I'm telling timechart to use not 1 second but rather 15 minutes as our bucket size but it's up to you. The search language looks a lot like what we did in the last question except at the end we have an extra <CODE>untable</CODE> and <CODE>stats</CODE> command. </P> <PRE><CODE>... all the stuff before up to | eval concurrency = if(increment==-1, post_concurrency+1, post_concurrency) | timechart span=15min max(concurrency) as max_concurrency last(post_concurrency) as last_concurrency by sourceip limit=20 | filldown last_concurrency* | foreach "max_concurrency: *" [eval &lt;&lt;MATCHSTR&gt;&gt;=coalesce('max_concurrency: &lt;&lt;MATCHSTR&gt;&gt;','last_concurrency: &lt;&lt;MATCHSTR&gt;&gt;')] | fields - last_concurrency* max_concurrency* | untable _time sourceip concurrency | chart count over concurrency by sourceip </CODE></PRE> <P>That search above will analyze all the 15 minute periods for each sourceip, and give you a frequency distribution for each sourceip value, and graph them all as separate lines on the same frequency distribution chart. </P> <P>If instead you want to just see a single overarching frequency distribution of "per-sourceip concurrency", replace that last <CODE>chart</CODE> command with our old friend, {drum fill} <CODE>| stats count by concurrency</CODE>. </P> Wed, 22 Apr 2015 04:19:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153701#M185637 sideview 2015-04-22T04:19:42Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153702#M185638 <P>Thanks sideview for the detailed information. Will give it a try when I have a chance. </P> Mon, 04 May 2015 15:29:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-concurrency-distribution/m-p/153702#M185638 jgcsco 2015-05-04T15:29:10Z