I'm a beginner with Splunk and have questions about
_time variable. Here is my situation:
2013-01-29T09:12:27.010175+00:00 172.21.1.1 local5.notice<173> 16099: GW: Jan 29 09:12:26.963: %X25-5-CALL_RECORD: Start=09:12:25.887 UTC Tue Jan 29 2013, End=09:12:26.963 UTC Tue Jan 29 2013, Rotary-number=1, Clear-cause=0
I've got a log file with an indexed
_time value which I don't care.
I need to count the number of concurrent sessions per second, with the following constraints :
Endtime fields. Consequently,
transactionkeyword seems to be useless.
For testing purposes I managed to convert times to epoch format, and compute the duration:
... | eval tstamp="%T.%3Q %Z %a %b %d %Y" | eval etime=strptime(End,tstamp) | eval stime=strptime(Start,tstamp) | eval duration=etime-stime
Concurrency with my
duration appears not to be working because it still uses log time.
I tried to use the keyword
endswith=etime without results, and with TransacID as Session identifier but I think it is useless
| rex field=_raw ".>\s+(?<TransacID>\d+):."
Finaly my complete search:
source="log" %X25-5-CALL_RECORD | rex field=_raw ".>\s+(?<Transacid>\d+):." | eval tstamp="%T.%3Q %Z %a %b %d %Y" | eval etime=strptime(End,tstamp) | eval stime=strptime(Start,tstamp) | eval _time=stime | timechart span=1s count(eval(stime<=(_time) AND (_time)<=etime)) as InTimeRange by Rotary_number
The diffulty is that I need to get rid of the indexed log time to use
timechart. that's why I used
| eval _time=stime.
I actually want to use timechart's abscissa and compare it each second...
I first though it was working but values are not correct, there should be much more concurrent sessions. This may be a dimension confusion between "tables" of data, and variable names that identify a single value in a single line.
Can someone help me with this case?
Thanks by advance
Well, I still need some more help. Here is the last part of my request:
| eval timeconcat="myStart=".stime." myEnd=".etime"
| eval timemv=split(timeconcat," ")
| mvexpand timemv
| rex field=timemv "(?<time>\d+.\d+)"
| transaction TransacID
| concurrency duration=duration
| timechart span=1s max(concurrency) by Rotarynumber
I get the good values (that's a very good point, thank you yannK) but there are plenty of gaps. I need to fill them, but don't understand how to do it.
| bucket _time span=1s
This didn't work. Can someone help me? 🙂
Thanks to the mvexpand instruction + transaction + concurrency, I managed to come to the same situation as your initial post when you had holes in you chart. I'll try hard to understand the whole solution you gave, and adapt it to my graph. I'll let you know when it's done.
Thanks a lot!