How to find concurrent run of processes?

ppatkar · ‎06-10-2020

Hi ,

I would like to check if there are multiple instances of a job/process running .

Ex: My Splunk search :

index=abc <jobname> |  stats earliest(_time) AS earliest_time, latest(_time) AS latest_time count by  source | convert ctime(earliest_time), ctime(latest_time) | sort - count

Returns :

source   earliest_time       latest_time          count
logA     06/06/2020 15:24:09 06/06/2020 15:24:59      1
logB     06/06/2020 15:24:24 06/06/2020 15:25:12      2

In the above since logB indicates job run before logA completion time, it is an indication of the concurrent run of the process. I would like to generate a list of all such jobs if it is possible, any help is appreciated.

Thank you.

bowesmana · ‎06-15-2020

You can use autoregress.

index=abc <jobname> 
| stats earliest(_time) AS begin, latest(_time) AS end count by source 
| sort 0 begin
| autoregress end as prev_end p=1
| where begin<prev_end
| convert ctime(begin), ctime(end)
| sort - count

If that doesn't give you what you want, then consider using streamstats to calculate the window

I am not sure of the relevance of count in your scenario.

Hope this helps.

How to find concurrent run of processes?

other

transaction

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?