How to get concurrent transactions for multiple hosts?



I'm having trouble getting concurrent events by host.

I can get concurrent key transactions for a single host, and it appears accurate:
* sourcetype="*iis" Target_Type="key" host="na5" | concurrency duration=TimeTaken | timechart span=1h count(concurrency)

But when I try to get this for all hosts (Grouped by host), it’s comparing the data on all instances, artificially inflating number of concurrent transactions per host:
* sourcetype="*iis" Target_Type="key" | concurrency duration=TimeTaken | timechart span=1h count(concurrency) by host

Any ideas?

Tags (1)
0 Karma

0 Karma


Concurrency doesn't have by clause. You may have to try something like this


Thanks. Hope we can get concurrency by clause soon. This seems like a very common use case. For now, we are going to use a dashboard with host selection in a dropdown.

I tried to get the query in strive's link above working. Unfortunately it doesn't work for our data. A lot of assumptions go into how your Splunk data is setup (start / stop / other transactions) to make this work:
sourcetype="*traceappender" | eval counter = if(searchmatch("Module.Begin"),1,-1) | sort 0 + _time | streamstats sum(counter) as concurrency by host | timechart span=1h count(concurrency) by host

0 Karma


I agree ... I repeatedly have had to use a cludge to get concurrency ... by ...

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!