Great solution @sideview , I've been struggling with a split by concurrency problem a couple of days. The concurrency command works fine when I just search for events with a single value used fot the split, when I search for all events with all "split by values" the numbers aren't right. I found out myself why, and thought it would be impossible. Your spooky bit of SPL solves it nicely, and running it line by line looking at the results I understand why. Thanks! My not correctly working code: index=mfpublic sourcetype=SMF030 SMF30JNM=JOB* SMF30CLS=*
| stats earliest(_time) as start latest(_time) as stop by SMF30JNM SMF30CLS
| eval _time=start, duration=stop-start
| concurrency duration=duration
| timechart limit=20 span=15m max(concurrency) by SMF30CLS And the working code with your solution: index=mfpublic sourcetype=SMF030 SMF30JNM=JOB* SMF30CLS=*
| stats earliest(_time) as start latest(_time) as stop by SMF30JNM SMF30CLS
| eval _time=start, duration=stop-start
| eval increment = mvappend("1","-1")
| mvexpand increment
| eval _time = if(increment==1, _time, _time + duration)
| sort 0 + _time
| fillnull class value="NULL"
| streamstats sum(increment) as post_concurrency by SMF30CLS
| eval concurrency = if(increment==-1, post_concurrency+1, post_concurrency)
| timechart limit=0 span=15m max(concurrency) as max_concurrency last(post_concurrency) as last_concurrency by SMF30CLS
| filldown last_concurrency*
| foreach "max_concurrency: *" [eval <<MATCHSTR>>=coalesce('max_concurrency: <<MATCHSTR>>','last_concurrency: <<MATCHSTR>>')]
| fields - last_concurrency* max_concurrency* Thanks again!
... View more