(Love this forum. Didn't even know about the concurrency command before this morning. 🙂
My search:
SYSCODE=ezLMWeb* | transaction EZ_GUID maxspan=60 | concurrency duration=duration
All seems well. But how does splunk count concurrent events? My confustion started when I noticed in my results there are 2 events that had concurrency of 18. Shouldn't the number of concurrent events be at least 18? What's the logic behind only 2 events that ran alongside 16 other events at the same time? I'm sure I'm missing something fairly simple. 😕
Thanks, Jon
(Doh! No 'concurrency' tag yet.)
Yes, concurrency isn't the number of events that occurred during any overlap, but rather the number of events that occurred simultaneously at the start time of the event.
Yes, concurrency isn't the number of events that occurred during any overlap, but rather the number of events that occurred simultaneously at the start time of the event.
It appears to tally concurrent event counts as it runs through them. I zoomed in on the 18 count spike, and I see events with counts 1-18, in order of time started.
There is now. (I added the "concurrency" tag for you. Once you get a certain number of reputation points you are allowed to create new tags.)