Splunk Search
Highlighted

How to plot number of users based on start and stop time?

Engager

Hi allknowing Splunkbase!

I have events that have the value x_duration and start time - With this value we can calculate the stop time, - but how do i plot this in a timechart to show when users where active based on the start and stop time?

Fields i have are :
Starttime = this is when the event start (hh.mm.ss)
x_duration = this is the number of seconds the event should show in the timechart
Stoptime = this is when the event should stop (hh.mm.ss)

So i need the event to increase by 1 in the timechart during the interval of starttime < AND > stoptime per event.

I am uncertain how to attack this problem. Any ideas?

Tags (4)
0 Karma
Highlighted

Re: How to plot number of users based on start and stop time?

SplunkTrust
SplunkTrust

I've done something similar before using a combination of eval and accum. But, I had distinct start and stop events. It worked something like this:

blah blah blah | eval count_start=if(is_start_event==1,1,0) 
| eval count_end=if(is_end_event==1,1,0) 
| accum count_start AS total_started
| accum count_end AS total_ended
| eval activecount= total_ended - total_started

It's not always 100% mathematically accurate, especially if the start event is outside of the search time range but the end event is not. But, for my purpose it was a good enough approximation.

The concurrency search command may get very close to what you're trying to do. Have you looked at it?

View solution in original post

Highlighted

Re: How to plot number of users based on start and stop time?

Splunk Employee
Splunk Employee

The concurrency search command does exactly what you are looking for with a start time and a duration.

Highlighted

Re: How to plot number of users based on start and stop time?

Engager

gkanapathy and dwaddle takes the price!! Thats the command i was looking for!! Excellent 🙂

It now shows the number of concurrent users based on the duration field! Thank you!

0 Karma