For those that came here (like me) in need for a solution, the trick I've found was to create mvfields with the span value and then mvexpand them and then do a distinct count by txid in the timechart.. So from original poster's question, lets assume we are there, and have duration in seconds created by the transaction command: | transaction UserId startswith="login" endswith="logout" Lets suppose that UserId is unique enough to be a TxId. So we want to do a count of how many concurrent Tx's are at a particular timeslot of 1s: | eval events=mvrange(0,duration,1)
| fillnull events
| mvexpand events Now we have created on each event a # of lines with an increasing value of 1 from 0 to duration, and we are going to use that to offset each _time by that amount of seconds: | eval _time=_time+events
| timechart dc(UserId) span=1s And finally we do a distinct count of the TxId. In theory we should have and actual event per time slot to be able to to a timechart that counts active transactions by their duration.
... View more