Splunk Search

How to create a field with a value repeated a number of times when the number of time comes from another field - to get around concurrency limitation

Path Finder

I am trying to implement our requirement for "concurrency".

Lets say we want to measure user concurrency every 5 minutes. I need to create transactions that represent user sessions. Then based on the session duration, if I create a multivalue field having "|xxx|" duration/5 min times, then I can do mvexpand and then I can apply the Splunk's Concurrency command to generate the result we are looking for.
ex. if a transaction has duration 20 minutes, then I want to create a field with value "xxx|xxx|xxx|xxx|" for that trans and convert that to a multivalue , and then do mvexpand. I think I will end up with 4 individual events and I can assign duration of 5 mins to each and then let the Splunk Concurrency command calculate the counts.
That also requires that it would be possible to adjust the value of the _time on the events created by mvexpand, so that there are 4 events each starting within 5 minustes of another one. Is that possible?

0 Karma


I'd take a slightly different approach, and generate 'false' sessions 5 minutes apart and use them as markers to calculate the concurrency.


if ... represents a search that populates '_time' and 'duration' used for concurrency

... | append [ 
        search * | head 1 | addinfo 
        | eval info_min_time=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") 
        | eval info_max_time=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") 
        | map search="| gentimes start=$info_min_time$ end=$info_max_time$ increment=5m 
                      | eval _time=starttime 
                      | eval duration=0 
                      | eval marker=1
                      | fields _time duration marker" ] 
    | concurrency duration=duration start=_time 
    | where marker=1 
    | eval concurrency=concurrency-1
    | table _time concurrency

everything in the append [] block is just a trick to create a sequence of times that match your search time range

the important thing is that the generated times have a hardcoded duration=0, marker=1 and a _time that is 5 minutes apart from the last one

So now you can do your concurrency and filter out only the events that snap to your markers.
(and subtract 1 because you've included the fake session marker)

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...