Archive

How to get concurrent transactions for multiple hosts?

Explorer

Hello,

I'm having trouble getting concurrent events by host.

I can get concurrent key transactions for a single host, and it appears accurate:
* sourcetype="*iis" Target_Type="key" host="na5" | concurrency duration=TimeTaken | timechart span=1h count(concurrency)

But when I try to get this for all hosts (Grouped by host), it’s comparing the data on all instances, artificially inflating number of concurrent transactions per host:
* sourcetype="*iis" Target_Type="key" | concurrency duration=TimeTaken | timechart span=1h count(concurrency) by host

Any ideas?

Tags (1)
0 Karma

Communicator
0 Karma

Influencer

Concurrency doesn't have by clause. You may have to try something like this
http://answers.splunk.com/answers/7269/how-to-calculate-concurrent-transactions-grouped-with-a-parti...

Explorer

Thanks. Hope we can get concurrency by clause soon. This seems like a very common use case. For now, we are going to use a dashboard with host selection in a dropdown.

I tried to get the query in strive's link above working. Unfortunately it doesn't work for our data. A lot of assumptions go into how your Splunk data is setup (start / stop / other transactions) to make this work:
sourcetype="*traceappender" | eval counter = if(searchmatch("Module.Begin"),1,-1) | sort 0 + _time | streamstats sum(counter) as concurrency by host | timechart span=1h count(concurrency) by host

0 Karma

Explorer

I agree ... I repeatedly have had to use a cludge to get concurrency ... by ...

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!