Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

count of events between multiple timestamps in a single event

sethrife
New Member
‎04-02-2013 07:24 PM

As an example, suppose I'm trying to count the number of concurrent HTTP sessions. Events look something like the following:

Event 1: start=[02/05/2013 13:18] end=[02/05/2013 14:20]

Event 2: start=[02/05/2013 13:58] end=[02/05/2013 15:50]

Event 3: start=[02/05/2013 13:50] end=[02/05/2013 14:02]

What I'm trying to do is count the number of concurrent sessions over some range of time, say 24 hours. So in the above example, I'm trying to get the following:

DateActive Session Count
02/05/2013 13:301
02/05/2013 14:003
02/05/2013 14:301

Is something like this possible?

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-02-2013 11:33 PM

Yes. You need to calculate a duration (eval duration=strptime(end)-_time, if start is the timestamp of the event), and you can then use the concurrency search command.

Alternatively, you can create separate events for start and end, and simply count the number of start events and number ofend events since the beginning of your time range, and take the difference to get the concurrency.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...