Splunk Search

How to create a field with a value repeated a number of times when the number of time comes from another field - to get around concurrency limitation

fere
Path Finder

Hi,
I am trying to implement our requirement for "concurrency".

Lets say we want to measure user concurrency every 5 minutes. I need to create transactions that represent user sessions. Then based on the session duration, if I create a multivalue field having "|xxx|" duration/5 min times, then I can do mvexpand and then I can apply the Splunk's Concurrency command to generate the result we are looking for.
ex. if a transaction has duration 20 minutes, then I want to create a field with value "xxx|xxx|xxx|xxx|" for that trans and convert that to a multivalue , and then do mvexpand. I think I will end up with 4 individual events and I can assign duration of 5 mins to each and then let the Splunk Concurrency command calculate the counts.
That also requires that it would be possible to adjust the value of the _time on the events created by mvexpand, so that there are 4 events each starting within 5 minustes of another one. Is that possible?
Thanks,
Fereshteh

0 Karma

jonuwz
Influencer

I'd take a slightly different approach, and generate 'false' sessions 5 minutes apart and use them as markers to calculate the concurrency.

i.e.

if ... represents a search that populates '_time' and 'duration' used for concurrency

... | append [ 
        search * | head 1 | addinfo 
        | eval info_min_time=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") 
        | eval info_max_time=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") 
        | map search="| gentimes start=$info_min_time$ end=$info_max_time$ increment=5m 
                      | eval _time=starttime 
                      | eval duration=0 
                      | eval marker=1
                      | fields _time duration marker" ] 
    | concurrency duration=duration start=_time 
    | where marker=1 
    | eval concurrency=concurrency-1
    | table _time concurrency

everything in the append [] block is just a trick to create a sequence of times that match your search time range

the important thing is that the generated times have a hardcoded duration=0, marker=1 and a _time that is 5 minutes apart from the last one

So now you can do your concurrency and filter out only the events that snap to your markers.
(and subtract 1 because you've included the fake session marker)

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...