Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how do I calculate peaks with concurrent events?

whisperstream
Explorer
‎03-29-2012 05:34 PM

I have a bunch of log entries that look roughly like this:

[07/07/12:21:01:00 -0800] relay="12.12.12.12" endtime="07/07/12:21:03:00 -0800" duration="120" datarate="6"
[07/07/12:21:00:00 -0800] relay="12.12.12.12" endtime="07/07/12:21:07:00 -0800" duration="420" datarate="1"
[07/07/12:20:58:00 -0800] relay="12.12.12.12" endtime="07/07/12:21:01:15 -0800" duration="195" datarate="5"
[07/07/12:21:03:10 -0800] relay="12.12.12.12" endtime="07/07/12:21:03:20 -0800" duration="10" datarate="8"

What I am trying to do is find the peak bandwidth rate in each 5 minute bucket. I have tried using the timechart and concurrency but I not able to figure out how to account for the overlapping events and how to accumulate the datarate for each entry.

In the data above the max data rate for the 5 minute block shown, should be 12 (6 + 1 + 5), because the 1st 3 events overlap for 15 seconds (21:01:00 - 21:01:15).

If I can get the above 1st part done, the 2nd part is to find the average peak of all the 5 min buckets.

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-29-2012 08:47 PM

You have to use the concurrency command before the timechart command like:

... | concurrency duration=duration | timechart max(concurrency)
0 Karma
Reply

whisperstream
Explorer
‎03-30-2012 10:46 AM

Thanks for the response, maybe I'm not quite sure how concurrency works. I entered what you suggested and get concurrency values between 1-9 for various times. Am a bit confused on what this values represents because if I drill down into the data, it shows a few events but by manually checking the timestamps they don't seem to line up, so am wondering how splunk counts them as concurrent?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...