Splunk Search

How to use the concurrency command?

SplunkTrust
SplunkTrust

Hello Splunkers,

While working on charting the max concurrent usage of the wifi services in a department of my company, I fell on a small problem. I have two different hotspot names and I am trying to chart the max concurrency of both on the same stacked column chart to give visibility on which one is being used more.

Charting them one at a time works wells by doing the following :

index=wifi HotspotName="First"    | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency)  

And

index=wifi HotspotName="Second"    | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) 

This uses up two panels/searches, so I want to have both results on the same chart. To do that, I used the following command :

index=wifi HotspotName="First"  OR HotspotName="Second"  | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) by HotspotName 

The thing is that in this case, both HotspotName are being displayed with the same value for concurrency. I'm guessing that's normal behavior for concurrency since at no point the concurrency is being split between both hotspots. So my question is, what can I do to make the timechart split the values of concurrency based on the hotspots and not simply show the same value for both.

Hope you guys can help!

Regards,
David

0 Karma
1 Solution

Esteemed Legend

Just append the searches like this:

index=wifi HotspotName="First" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) | append [search index=wifi HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop" | concurrency duration=duration | timechart max(concurrency)]

View solution in original post

Esteemed Legend

Just append the searches like this:

index=wifi HotspotName="First" | transaction TransactionId startswith="start" endswith="stop"| concurrency duration=duration | timechart max(concurrency) | append [search index=wifi HotspotName="Second" | transaction TransactionId startswith="start" endswith="stop" | concurrency duration=duration | timechart max(concurrency)]

View solution in original post

SplunkTrust
SplunkTrust

Thanks a lot Woodcock ! always here to give helpful answers 🙂 This charts both correct values on the same chart . Is there way to have them superpose them ? because i'm getting the charts chained one after the other.

0 Karma

SplunkTrust
SplunkTrust

Ended up using transaction command on _time to regroup both values 😄

0 Karma

Esteemed Legend

Or add `| sort 0 _time'

SplunkTrust
SplunkTrust

Yeah it works too 😄 although when i try to eval a total and chart it along with the other lines it doesn't seem to work with the sort. Only works with transaction. Any idea why ?

0 Karma

Esteemed Legend

You cannot sort by a field that you have caused to be dropped ( _time ).

0 Karma

Path Finder

I'm assuming that your second query should have
HotspotName="Second"
and not
HotspotName="First"
?

0 Karma

SplunkTrust
SplunkTrust

lol copy/paste ^^ thanks man, fixed it 🙂

0 Karma