Right,
I've been working on this again and I think I have something which works really well now:
foo earliest=@w0 |
transaction sesid |
eval countlogin=1 |
append [ search foo earliest=@w0 |
transaction sesid |
eval countlogin=-1 | eval _time=_time+duration ] |
stats sum(countlogin) AS countlogin by _time |
streamstats sum(countlogin) AS runningtotal |
eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") | fields _time, runningtotal
It creates a 1 when a session starts, a -1 when a session ends and then cumulatively sums them over time. You still have to fairly confident that when the query starts there are no open sessions ( I can do that with my tool at the beginning of the week ).
Please ignore all of the below, it was my previous attempt and there are several things wrong with it
By the way, this is the closest I got:
foo earliest=@w0 | transaction sesid keeporphans=true maxspan=13h | concurrency duration=duration | chart max(concurrency) by _time
this produces a nice little graph, there are 2 problems with it, 1 is that it's only very accurate if the start point you know there are 0 open sessions and secondly is that the graph never actually shows there being 0 open sessions.
Neither of these 2 problems were too much of an issue as I just needed to show off shiny graphs to management.
... View more