What is the best way to show sparse concurrent transaction counts?

New Member

I'm trying to report on concurrent SSL VPN sessions over time on an F5 APM device. I've defined the fields and the transaction I need. These are long lived sessions where hours can go by without the creation of new transactions.

apd OR tmm | transaction name=apm_session | concurrency duration=duration | timechart count(concurrency) by apm_client_platform

This seems to show me what I'm after but doesn't show any concurrency late at night when sessions aren't doing anything but ending. Is there any way to get a more accurate concurrency count?


Tags (1)
0 Karma

Splunk Employee
Splunk Employee

If you have a seperate event for session start and session end, you can do the following. Assuming that you extract a field 'type' that can take on either "START" or "STOP".

apd OR tmm | eval count = if(type="START",1,-1) | sort + _time | accum count as concurrency | timechart max(concurrency)

Splunk Employee
Splunk Employee

I can't see how you have defined the transaction "apm_transaction", so I will assume that the above search will produce results wherein the start time of the transaction is a log in event.

If that is the case, then the above search will show you how many events occurred simultaneously with a log in event on your SSL VPN, as the "count(concurrency)" will just show you how many times, for example, "concurrency=1" occurred in an event.

Forgive me if I am being dense - perhaps I just need a bit more information.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!