Splunk Search

How to create a field with a value repeated a number of times when the number of time comes from another field - to get around concurrency limitation

Path Finder

Hi,
I am trying to implement our requirement for "concurrency".

Lets say we want to measure user concurrency every 5 minutes. I need to create transactions that represent user sessions. Then based on the session duration, if I create a multivalue field having "|xxx|" duration/5 min times, then I can do mvexpand and then I can apply the Splunk's Concurrency command to generate the result we are looking for.
ex. if a transaction has duration 20 minutes, then I want to create a field with value "xxx|xxx|xxx|xxx|" for that trans and convert that to a multivalue , and then do mvexpand. I think I will end up with 4 individual events and I can assign duration of 5 mins to each and then let the Splunk Concurrency command calculate the counts.
That also requires that it would be possible to adjust the value of the _time on the events created by mvexpand, so that there are 4 events each starting within 5 minustes of another one. Is that possible?
Thanks,
Fereshteh

0 Karma

Influencer

I'd take a slightly different approach, and generate 'false' sessions 5 minutes apart and use them as markers to calculate the concurrency.

i.e.

if ... represents a search that populates '_time' and 'duration' used for concurrency

... | append [ 
        search * | head 1 | addinfo 
        | eval info_min_time=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") 
        | eval info_max_time=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") 
        | map search="| gentimes start=$info_min_time$ end=$info_max_time$ increment=5m 
                      | eval _time=starttime 
                      | eval duration=0 
                      | eval marker=1
                      | fields _time duration marker" ] 
    | concurrency duration=duration start=_time 
    | where marker=1 
    | eval concurrency=concurrency-1
    | table _time concurrency

everything in the append [] block is just a trick to create a sequence of times that match your search time range

the important thing is that the generated times have a hardcoded duration=0, marker=1 and a _time that is 5 minutes apart from the last one

So now you can do your concurrency and filter out only the events that snap to your markers.
(and subtract 1 because you've included the fake session marker)

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!