Splunk Search

Count the concurrent transactions with a single log entry by transaction

Explorer

Question


Hey there,

I'm a beginner with Splunk and have questions about timechart and _time variable. Here is my situation:

2013-01-29T09:12:27.010175+00:00 172.21.1.1 local5.notice<173> 16099: GW: Jan 29 09:12:26.963: %X25-5-CALL_RECORD: Start=09:12:25.887 UTC Tue Jan 29 2013, End=09:12:26.963 UTC Tue Jan 29 2013, Rotary-number=1, Clear-cause=0

I've got a log file with an indexed _time value which I don't care.
I need to count the number of concurrent sessions per second, with the following constraints :

  • There is a single entry in my log per session, containing Start time and End time fields. Consequently, transaction keyword seems to be useless.
  • The timechart must be drawed per rotary number
  • I must not use log entry index time which is NOT correct, and use Start/End fields instead.

My tests


For testing purposes I managed to convert times to epoch format, and compute the duration:

... 
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval duration=etime-stime

Concurrency with my duration appears not to be working because it still uses log time.

I tried to use the keyword transaction with startswith=stime endswith=etime without results, and with TransacID as Session identifier but I think it is useless

...
| rex field=_raw ".>\s+(?<TransacID>\d+):."

Finaly my complete search:

source="log" %X25-5-CALL_RECORD 
| rex field=_raw ".>\s+(?<Transacid>\d+):."
| eval tstamp="%T.%3Q %Z %a %b %d %Y"
| eval etime=strptime(End,tstamp)
| eval stime=strptime(Start,tstamp)
| eval _time=stime
| timechart span=1s count(eval(stime<=(_time) AND (_time)<=etime)) as InTimeRange by Rotary_number

The diffulty is that I need to get rid of the indexed log time to use concurrency or timechart. that's why I used

| eval _time=stime.

I actually want to use timechart's abscissa and compare it each second...

I first though it was working but values are not correct, there should be much more concurrent sessions. This may be a dimension confusion between "tables" of data, and variable names that identify a single value in a single line.

Can someone help me with this case?

Thanks by advance

0 Karma

Splunk Employee
Splunk Employee

take a look at this answer http://splunk-base.splunk.com/answers/69213/calculate-concurrency-of-transactions
it contains the last part you need.

Explorer

Well, I already tried this but it didn't work

0 Karma

Splunk Employee
Splunk Employee

maybe an error in my search, the makecontinuous needs a field, so it should be the time.

by example

| makecontinuous _time span=10m

0 Karma

Explorer

Well, I still need some more help. Here is the last part of my request:
...
| eval timeconcat="myStart=".stime." myEnd=".etime"
| eval timemv=split(timeconcat," ")
| mvexpand timemv
| rex field=timemv "(?<time>\d+.\d+)"
| transaction TransacID
| concurrency duration=duration
| timechart span=1s max(concurrency) by Rotary
number

I get the good values (that's a very good point, thank you yannK) but there are plenty of gaps. I need to fill them, but don't understand how to do it.

I tried:
| bucket _time span=1s
| makecontinuous

This didn't work. Can someone help me? 🙂

0 Karma

Explorer

Ok great!
Thanks to the mvexpand instruction + transaction + concurrency, I managed to come to the same situation as your initial post when you had holes in you chart. I'll try hard to understand the whole solution you gave, and adapt it to my graph. I'll let you know when it's done.

Thanks a lot!

0 Karma