Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

count of events between multiple timestamps in a single event

sethrife
New Member
‎04-02-2013 07:24 PM

As an example, suppose I'm trying to count the number of concurrent HTTP sessions. Events look something like the following:

Event 1: start=[02/05/2013 13:18] end=[02/05/2013 14:20]

Event 2: start=[02/05/2013 13:58] end=[02/05/2013 15:50]

Event 3: start=[02/05/2013 13:50] end=[02/05/2013 14:02]

What I'm trying to do is count the number of concurrent sessions over some range of time, say 24 hours. So in the above example, I'm trying to get the following:

DateActive Session Count
02/05/2013 13:301
02/05/2013 14:003
02/05/2013 14:301

Is something like this possible?

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-02-2013 11:33 PM

Yes. You need to calculate a duration (eval duration=strptime(end)-_time, if start is the timestamp of the event), and you can then use the concurrency search command.

Alternatively, you can create separate events for start and end, and simply count the number of start events and number ofend events since the beginning of your time range, and take the difference to get the concurrency.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...