Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to get number of concurrent sessions per minute

Laya123
Communicator
‎04-23-2015 10:22 PM

Hi ,

How to get number of concurrent sessions per minute. My transaction started with beginning session and ends with ending session

for example

my first transaction started at 12-3-2015 10:01:00, second transaction started at 12-3-2015 10:01:10, third transaction started at 12-3-2015 10:01:35, fourth transaction started at 12-3-2015 10:02:15, fifth transaction started at 12-3-2015 10:02:40

My second transaction ended at 12-3-2015 10:01:50

I want my output like

12-3-2015 10:01:00 - number of transactions 3
12-3-2015 10:02:00 - Number of transactions 4 (second transaction completed in last minute only thats why I excluded that in next minute)

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fdi01
Motivator
‎04-24-2015 04:35 AM

try like this:

...| transaction startswith="beginning session" endswith="ending session" |bucket span=1m _time|stats count as "number of transactions" by _time

or 

 ...| transaction startswith="beginning session " endswith="ending session " | timechart per_minute(eval(count)) as "number of transactions"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fdi01
Motivator
‎04-24-2015 04:35 AM

try like this:

...| transaction startswith="beginning session" endswith="ending session" |bucket span=1m _time|stats count as "number of transactions" by _time

or 

 ...| transaction startswith="beginning session " endswith="ending session " | timechart per_minute(eval(count)) as "number of transactions"
0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-23-2015 11:09 PM

Hi here is something for you.

1.
source="" | transaction startswith="beginning session "
endswith="ending session " |timechart count span=1m as
"number of transactions"

However if this returns more than 50,000 results it
wont work and it'll return that bucketing error.

OR

2.
source="" | transaction startswith="beginning session "
endswith="ending session " |eval count=1
| timechart per_minute (count) as
"number of transactions"

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...