topic Re: Count the concurrent transactions with a single log entry by transaction in Splunk Search

Count the concurrent transactions with a single log entry by transaction

ypiolet — Tue, 29 Jan 2013 09:55:19 GMT

Question

Hey there,

I'm a beginner with Splunk and have questions about timechart and _time variable. Here is my situation:

2013-01-29T09:12:27.010175+00:00 172.21.1.1 local5.notice<173> 16099: GW: Jan 29 09:12:26.963: %X25-5-CALL_RECORD: Start=09:12:25.887 UTC Tue Jan 29 2013, End=09:12:26.963 UTC Tue Jan 29 2013, Rotary-number=1, Clear-cause=0

I've got a log file with an indexed _time value which I don't care.
I need to count the number of concurrent sessions per second, with the following constraints :

There is a single entry in my log per session, containing Start time and End time fields. Consequently, transaction keyword seems to be useless.
The timechart must be drawed per rotary number
I must not use log entry index time which is NOT correct, and use Start/End fields instead.

My tests

For testing purposes I managed to convert times to epoch format, and compute the duration:

... 
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval duration=etime-stime

Concurrency with my duration appears not to be working because it still uses log time.

I tried to use the keyword transaction with startswith=stime endswith=etime without results, and with TransacID as Session identifier but I think it is useless

... | rex field=_raw ".>\s+(?<TransacID>\d+):."

Finaly my complete search:

source="log" %X25-5-CALL_RECORD 
| rex field=_raw ".>\s+(?<Transacid>\d+):."
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval _time=stime
| timechart span=1s count(eval(stime<=(_time) AND (_time)<=etime)) as InTimeRange by Rotary_number

The diffulty is that I need to get rid of the indexed log time to use concurrency or timechart. that's why I used

| eval _time=stime.

I actually want to use timechart's abscissa and compare it each second...

I first though it was working but values are not correct, there should be much more concurrent sessions. This may be a dimension confusion between "tables" of data, and variable names that identify a single value in a single line.

Can someone help me with this case?

Thanks by advance

Re: Count the concurrent transactions with a single log entry by transaction

yannK — Tue, 29 Jan 2013 15:33:42 GMT

take a look at this answer http://splunk-base.splunk.com/answers/69213/calculate-concurrency-of-transactions
it contains the last part you need.

Re: Count the concurrent transactions with a single log entry by transaction

ypiolet — Wed, 30 Jan 2013 11:45:15 GMT

Ok great!
Thanks to the mvexpand instruction + transaction + concurrency, I managed to come to the same situation as your initial post when you had holes in you chart. I'll try hard to understand the whole solution you gave, and adapt it to my graph. I'll let you know when it's done.

Thanks a lot!

Re: Count the concurrent transactions with a single log entry by transaction

ypiolet — Mon, 28 Sep 2020 13:12:21 GMT

I get the good values (that's a very good point, thank you yannK) but there are plenty of gaps. I need to fill them, but don't understand how to do it.

I tried:
| bucket _time span=1s
| makecontinuous

This didn't work. Can someone help me? 🙂

Re: Count the concurrent transactions with a single log entry by transaction

yannK — Wed, 30 Jan 2013 15:26:13 GMT

maybe an error in my search, the makecontinuous needs a field, so it should be the time.

by example

| makecontinuous _time span=10m

Re: Count the concurrent transactions with a single log entry by transaction

ypiolet — Thu, 31 Jan 2013 13:54:03 GMT

Well, I already tried this but it didn't work