Splunk Enterprise

How to chart concurrent events

tsushi
Explorer

Hi,

I have events with start_time, end_time and duration in seconds. These are video calls. I'd like to make a chart to see how many calls are active at any time.

I can do a simple host="Pexip Participant History" local_alias="domain.com*" | timechart count span=5m
But, it's not quite what I need since I only see when the calls were initiated with this.

How can I do this ?

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@tsushi,

try using the concurrency command

host="Pexip Participant History" local_alias="domain.com*"|concurrency duration=duration start=start_time

Reference : https://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Concurrency

0 Karma

tsushi
Explorer

Hi Renjith,

Thanks !

I tried this before making a post, but my search results returned exactly the same.
I scrutinized it now and found a tiny warning triangle on the search page, lol.

Used _time instead and now it works.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@tsushi - please accept the answer if your issue is solved. If this answer was not the solution that worked, please write up and post the solution that did, and accept it.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.