Hi,

That does not show me how many actions are ongoing . What I want is to get count of ongoing actions e.g for every minute for last 24h. So basically like timechart of ongoing actions overtime but the problem is that since I have only one event which contains start/stop times of action I cannot use timechart.

Try something like this

| eval time=mvappend(starttime, endtime)
| mvexpand time
| eval _time=time
| eval event=if(_time=starttime,1,-1)
| sort 0 -time
| streamstats sum(event) as ongoing

Hi,

It does not provide the needed result either. What I need is count of ongoing actions for e.g every minute.

Something like this:

Problem is that how to count ongoing actions on each time ? Somehow it should be searched if that time is between actions start - stop time and if it is action is ongoing on that time ?

Try something like this

``` Duplicate events with start and end times ```
| eval time=mvappend(starttime, endtime)
| mvexpand time
``` Reset event time ```
| eval _time=time
``` Determine if start or end event ```
| eval event=if(_time=starttime,1,-1)
``` Bucket into minutes ```
| bin _time span=1m
``` Move end time to next minute ```
| eval _time=if(event=-1,_time+60,_time)
``` Sort by _time ```
| sort 0 -time
``` Count events started in each minute minus those finished in the previous minute ```
| timechart sum(event) as ongoing span=1m

Hi,

I don't think that you understand my problem.

These actions on my system can be long lasting e.g hours or short e.g minutes from each action I have get one event after action is finished (which contains start/stop times and unique action_id).

And I would like to know how many actions were ongoing in each minute e.g in past 24h.  

Thank you for explaining your problem in more detail - try something like this

``` Duplicate events with start and end times ```
| eval time=mvappend(starttime, endtime)
| mvexpand time
``` Reset event time ```
| eval _time=time
``` Determine if start or end event ```
| eval event=if(_time=starttime,1,-1)
``` Bucket into minutes ```
| bin _time span=1m
``` Move end time to next minute ```
| eval _time=if(event=-1,_time+60,_time)
``` Sort by _time ```
| sort 0 _time
``` Count events started in each minute minus those finished in the previous minute ```
| streamstats sum(event) as ongoing
``` Take maximum for each minute ```
| stats max(ongoing) as ongoing by _time
``` Fill in intervening minutes ```
| makecontinuous _time span=1m
``` Fill in ongoing values ```
| filldown ongoing

This will give me negative decreasing ongoing value over time.
Also you are now just focusing to start/stop times but you also need to take account that different actions can start or stop at the same time. I think that also action_id should be taken into account in search ?

Please share your search - it sounds like you may have changed _time before determining the event type

Alternatively, you could do it this way

``` Duplicate events ```
| eval event=mvrange(1,3)
| mvexpand event
``` Reset event time ```
| eval _time=if(event=1,starttime,endtime)
``` Determine if start or end event ```
| eval event=if(event=1,1,-1)
``` Bucket into minutes ```
| bin _time span=1m
``` Move end time to next minute ```
| eval _time=if(event=-1,_time+60,_time)
``` Sort by _time ```
| sort 0 _time
``` Count events started in each minute minus those finished in the previous minute ```
| streamstats sum(event) as ongoing
``` Take maximum for each minute ```
| stats max(ongoing) as ongoing by _time
``` Fill in intervening minutes ```
| makecontinuous _time span=1m
``` Fill in ongoing values ```
| filldown ongoing

You shouldn't need to take eventId into account so long as there is just one event per event Id