Splunk Search

Concurrent calls per minute

danielsuter
Engager

I'm trying to calculate the amount of concurrent calls per minute or another time span (e.g. 5 minutes, ...). I'm using the concurrency function to achieve that. There's one problem though: The function only considers events to calculate the amount of concurrent calls but I would like to sample every minute.

My json records contain a _time and a call_duration. My current query looks as follows

index=myIndex source=test11 | fields + call_duration | fields - _raw | concurrency duration=call_duration | timechart max(concurrency) as "Simultaneous calls" span=1m

The data is as follows:
alt text

The resulting chart:

alt text

The concurrent calls from 7:10:00 to 7:11:00 would be 1 but are shown as 2, because no event occurs during that time. I can't add fake events because then there would be 1 call at that time. So is there a possibility to sample every minute with the concurrency call?
The same effect happens from 7:20 to 7:30. There is only 1 call at that time but the graph shows 2, because of the surrounding data points.

0 Karma
1 Solution

grundsch
Communicator

another solution is to directly use the makecontinuous, and tweak the concurrency calculation to correct the added events:

| makecontinuous _time span=1m |fillnull call_duration | concurrency duration=call_duration | eval concurrency=if(call_duration=0,concurrency-1,concurrency) |fields _time concurrency

This works well, but the chart ends a the beginning of the last call. Depending on your use case, this may be a problem or not.

View solution in original post

grundsch
Communicator

another solution is to directly use the makecontinuous, and tweak the concurrency calculation to correct the added events:

| makecontinuous _time span=1m |fillnull call_duration | concurrency duration=call_duration | eval concurrency=if(call_duration=0,concurrency-1,concurrency) |fields _time concurrency

This works well, but the chart ends a the beginning of the last call. Depending on your use case, this may be a problem or not.

grundsch
Communicator

One solution is to re-implement yourself a concurrency calculation. It involves creating an event when the call starts, and another when the call ends. Give the start a value of +1 and the end -1, and Streamstats will allow you to keep a running count of calls. Finally, with makecontinuous, you can fill the time stamps between "events" to get a visualisation of the actual concurrent calls.

|eval end_time=_time+call_duration| eval time=mvappend(_time,end_time) | mvexpand time | sort 0 time |eval start_stop=if(end_time=time,-1,1)|makecontinuous time span=1m|streamstats sum(start_stop) as concurent | eval _time=time | fields _time concurent

alt text

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...