I had the same problem, and came up with a cludge to work it. In your case, something like:
sourcetype="stream_logs" *ch_*
| rex "(?P<channel>ch_\d{3})"
| appendpipe [ where channel="ch101" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
| appendpipe [ where channel="ch102" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
| appendpipe [ where channel="ch103" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
| appendpipe [ where channel="ch104" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
| appendpipe [ where channel="ch105" | concurrency duration=x_duration | table _time, channel, identifier, concurrency ]
| timechart span=5min max(concurrency) BY channel
This is nasty, and needs editing every time there's a new channel, but it works.
You can add a catch-all appendpipe for concurrency for anything not otherwise identified (good for detecting change in the number of channels), or a where line to drop anything which doesn;t have a concurrency, or a stats line to merge the concurrencies back into the transaction they're from (or add more fields into the table commands).
It would be much better if there was a *concurrency ... BY * command
... View more