Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you calculate concurrency by second from start time and duration?

nacartwright
New Member
‎09-20-2018 01:52 PM

Newbie here...I have an index of data that represents calls. Each event has a start_time and duration. I've been asked to take all of these events and to calculate how many concurrent calls there are per second. It was suggested that I use Python and split the calls into different rows of a DB but that sounds tedious.

Is there a way to take each events data with start time and duration and chunk it up into seconds like this...?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

datasearchninja
Communicator
‎09-20-2018 08:44 PM

See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Concurrency

Assuming that the starttime is in field '_time', and the duration is in the field duration, to get the number of concurrent calls at that event, then bucket _time per second to find the maximum concurrency per second:

index=data ...
| concurrency start=_time duration=duration
| bin _time span=1s
| stats max(concurrency) as concurrency by _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

datasearchninja
Communicator
‎09-20-2018 08:44 PM

See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Concurrency

Assuming that the starttime is in field '_time', and the duration is in the field duration, to get the number of concurrent calls at that event, then bucket _time per second to find the maximum concurrency per second:

index=data ...
| concurrency start=_time duration=duration
| bin _time span=1s
| stats max(concurrency) as concurrency by _time
0 Karma
Reply
Solved! Jump to solution

nacartwright
New Member
‎09-21-2018 01:57 AM

We're after the number of active calls at any given time. So, if at 12:03:01 there are 5 active calls and at 12:03:02 one ends we need it to show 4 calls. Will this get us there?

0 Karma
Reply
Solved! Jump to solution

nacartwright
New Member
‎09-24-2018 01:29 PM

Perfect! Ran through Power BI too (took WAAAY longer) and got the same numbers. Thanks!

0 Karma
Reply
Solved! Jump to solution

datasearchninja
Communicator
‎09-23-2018 04:33 PM

yes, this would show that.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-20-2018 07:14 PM

@nacartwright,

You shall use Concurrency command. It has the option for duration in secs

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...