Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a field with a value repeated a number of times when the number of time comes from another field - to get around concurrency limitation

fere
Path Finder
‎12-13-2012 11:34 AM

Hi,
I am trying to implement our requirement for "concurrency".

Lets say we want to measure user concurrency every 5 minutes. I need to create transactions that represent user sessions. Then based on the session duration, if I create a multivalue field having "|xxx|" duration/5 min times, then I can do mvexpand and then I can apply the Splunk's Concurrency command to generate the result we are looking for.
ex. if a transaction has duration 20 minutes, then I want to create a field with value "xxx|xxx|xxx|xxx|" for that trans and convert that to a multivalue , and then do mvexpand. I think I will end up with 4 individual events and I can assign duration of 5 mins to each and then let the Splunk Concurrency command calculate the counts.
That also requires that it would be possible to adjust the value of the _time on the events created by mvexpand, so that there are 4 events each starting within 5 minustes of another one. Is that possible?
Thanks,
Fereshteh

0 Karma
Reply

jonuwz
Influencer
‎12-14-2012 07:05 AM

I'd take a slightly different approach, and generate 'false' sessions 5 minutes apart and use them as markers to calculate the concurrency.

i.e.

if ... represents a search that populates '_time' and 'duration' used for concurrency

... | append [ 
        search * | head 1 | addinfo 
        | eval info_min_time=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") 
        | eval info_max_time=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") 
        | map search="| gentimes start=$info_min_time$ end=$info_max_time$ increment=5m 
                      | eval _time=starttime 
                      | eval duration=0 
                      | eval marker=1
                      | fields _time duration marker" ] 
    | concurrency duration=duration start=_time 
    | where marker=1 
    | eval concurrency=concurrency-1
    | table _time concurrency

everything in the append [] block is just a trick to create a sequence of times that match your search time range

the important thing is that the generated times have a hardcoded duration=0, marker=1 and a _time that is 5 minutes apart from the last one

So now you can do your concurrency and filter out only the events that snap to your markers.
(and subtract 1 because you've included the fake session marker)

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...