Solved: Re: How to use the concurrency command?

DavidHourani · ‎06-17-2015

Hello Splunkers,

While working on charting the max concurrent usage of the wifi services in a department of my company, I fell on a small problem. I have two different hotspot names and I am trying to chart the max concurrency of both on the same stacked column chart to give visibility on which one is being used more.

Charting them one at a time works wells by doing the following :

index=wifi HotspotName="First"    | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency)

And

index=wifi HotspotName="Second"    | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency)

This uses up two panels/searches, so I want to have both results on the same chart. To do that, I used the following command :

index=wifi HotspotName="First"  OR HotspotName="Second"  | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) by HotspotName

The thing is that in this case, both HotspotName are being displayed with the same value for concurrency. I'm guessing that's normal behavior for concurrency since at no point the concurrency is being split between both hotspots. So my question is, what can I do to make the timechart split the values of concurrency based on the hotspots and not simply show the same value for both.

Hope you guys can help!

Regards,
David

woodcock · ‎06-17-2015

Just append the searches like this:

index=wifi HotspotName="First" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) | append [search index=wifi HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop" | concurrency duration=duration | timechart max(concurrency)]

View solution in original post

woodcock · ‎06-17-2015

Just append the searches like this:

index=wifi HotspotName="First" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) | append [search index=wifi HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop" | concurrency duration=duration | timechart max(concurrency)]

DavidHourani · ‎06-18-2015

Thanks a lot Woodcock ! always here to give helpful answers 🙂 This charts both correct values on the same chart . Is there way to have them superpose them ? because i'm getting the charts chained one after the other.

DavidHourani · ‎06-18-2015

Ended up using transaction command on _time to regroup both values 😄

woodcock · ‎06-20-2015

Or add `| sort 0 _time'

DavidHourani · ‎06-22-2015

Yeah it works too 😄 although when i try to eval a total and chart it along with the other lines it doesn't seem to work with the sort. Only works with transaction. Any idea why ?

woodcock · ‎06-22-2015

You cannot sort by a field that you have caused to be dropped ( _time ).

KenWhitesell · ‎06-17-2015

I'm assuming that your second query should have
HotspotName="Second"
and not
HotspotName="First"
?

DavidHourani · ‎06-17-2015

lol copy/paste ^^ thanks man, fixed it 🙂

How to use the concurrency command?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life