Charting concurrency for all time spans

jeffa · ‎07-25-2011

I have a query that creates a transaction and then calculates the concurrency for the transactions based on the duration calculated by the 'transaction' command...

sourcetype="mySourcetype" (startEventText) OR (endEventText) | transaction host custID startswith="startEventText" endswith="endEventText" | concurrency duration=duration

I would like to chart the number of concurrent transactions over time, but when I use a standard "| timechart span=1m max(concurrency)", I see the concurrency results at the time a particular transaction started, but not for subsequent time spans. In my scenario, a transaction may take several minutes (up to hours), and I'd like a visual representation of how many of these transactions are happening at any given timespan (not just the timespans where a transaction started).

[How] Can this be done?

steveyz · ‎07-30-2011

try adding | filldown to the end of your search. This is available in 4.2 and later

jeffa · ‎08-01-2011

Precisely what I was looking for. Thanks! (Original)

(Edit)
Actually...this is close, but I noticed that the "score" doesn't drop off when the transaction completes.

sideview · ‎07-31-2011

you mean after the timechart span=1m max(concurrency) of course, not just after the concurrency command.

Charting concurrency for all time spans

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk