Hi all,
I have the following type of data with session information:
starttime=1477419810 endtime=1477419818 count=5 user=abc
starttime=1477419811 endtime=1477419819 count=3 user=def
starttime=1477419813 endtime=1477419818 count=4 user=def
starttime=1477419814 endtime=1477419818 count=2 user=abc
The count field is the actual amount of "sessions started" by the user at "starttime" which ended at "endtime".
Now if I want to calculate the concurrency of each event I can naturally calculate the duration and perform the concurrency command. However the value of "count"
... | eval duration=endtime-starttime | concurrency duration=duration
However I want to sum the value of count as concurrency using the start and end times as the window. So instead of seeing a concurrency of 4 between starttime=1477419814 and endtime=1477419818 I should see 14.
Any help would be appreciated.
Try like this (run anywhere sample, replace first 4 lines with your base search)
| gentimes start=-1 | eval starttime=1477419810 | eval endtime=1477419818 | eval count=5 | eval user="abc" | append[
| gentimes start=-1 | eval starttime=1477419811| eval endtime=1477419819 | eval count=3 | eval user="def" ]| append[
| gentimes start=-1 | eval starttime=1477419813 | eval endtime=1477419818 | eval count=4 | eval user="def" ]| append[
| gentimes start=-1 | eval starttime=1477419814 | eval endtime=1477419818 | eval count=2 | eval user="abc" ] | fields - *human
| eval temp=mvrange(starttime, endtime+1) | mvexpand temp | rename temp as _time | bucket span=1s _time | stats sum(count) as newcount by _time
Try like this (run anywhere sample, replace first 4 lines with your base search)
| gentimes start=-1 | eval starttime=1477419810 | eval endtime=1477419818 | eval count=5 | eval user="abc" | append[
| gentimes start=-1 | eval starttime=1477419811| eval endtime=1477419819 | eval count=3 | eval user="def" ]| append[
| gentimes start=-1 | eval starttime=1477419813 | eval endtime=1477419818 | eval count=4 | eval user="def" ]| append[
| gentimes start=-1 | eval starttime=1477419814 | eval endtime=1477419818 | eval count=2 | eval user="abc" ] | fields - *human
| eval temp=mvrange(starttime, endtime+1) | mvexpand temp | rename temp as _time | bucket span=1s _time | stats sum(count) as newcount by _time