Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get concurrent transactions for multiple hosts?

drmed
Explorer
‎08-18-2014 03:04 PM

Hello,

I'm having trouble getting concurrent events by host.

I can get concurrent key transactions for a single host, and it appears accurate:
* sourcetype="*iis" Target_Type="key" host="na5" | concurrency duration=TimeTaken | timechart span=1h count(concurrency)

But when I try to get this for all hosts (Grouped by host), it’s comparing the data on all instances, artificially inflating number of concurrent transactions per host:
* sourcetype="*iis" Target_Type="key" | concurrency duration=TimeTaken | timechart span=1h count(concurrency) by host

Any ideas?

Tags (1)
0 Karma
Reply

manus
Communicator
‎10-10-2014 04:23 AM

This post has the best reply IMO
http://answers.splunk.com/answers/153299/bulletproof-approach-for-charting-concurrency-with-split-by...

0 Karma
Reply

strive
Influencer
‎08-18-2014 03:24 PM

Concurrency doesn't have by clause. You may have to try something like this
http://answers.splunk.com/answers/7269/how-to-calculate-concurrent-transactions-grouped-with-a-parti...

Reply

drmed
Explorer
‎08-18-2014 04:17 PM

Thanks. Hope we can get concurrency by clause soon. This seems like a very common use case. For now, we are going to use a dashboard with host selection in a dropdown.

I tried to get the query in strive's link above working. Unfortunately it doesn't work for our data. A lot of assumptions go into how your Splunk data is setup (start / stop / other transactions) to make this work:
sourcetype="*traceappender" | eval counter = if(searchmatch("Module.Begin"),1,-1) | sort 0 + _time | streamstats sum(counter) as concurrency by host | timechart span=1h count(concurrency) by host

0 Karma
Reply

JeToJedno
Explorer
‎04-06-2017 03:22 AM

I agree ... I repeatedly have had to use a cludge to get concurrency ... by ...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...