Databases Reference
In-Depth Information
Our fake concurrency example from the previous example looks like this:
sourcetype=impl_splunk_gen network="*"
| eval d=2
| concurrency duration=d
| timechart max(concurrency)
First, let's rebuild this search using the
streamstats
command. This command will
calculate rolling statistics and attach the calculated values to the events themselves.
To accommodate
streamstats
, we will need an event representing the start and
end of each transaction. We can accomplish this by creating a multivalued field,
essentially an array, and then duplicate our events based on the values in this field.
First, let's create our end time. Remember that
_time
is simply the UTC epoch time
at which this event happened, so we can treat it as a number.
sourcetype=impl_splunk_gen network="*"
| eval endtime=_time+2
Piping that through
table _time network endtime
, we see:
Next, we want to combine
_time
and our
endtime
into a multivalued field, which
we will call
t
:
sourcetype=impl_splunk_gen network="*"
| eval endtime=_time+2
| eval t=mvappend(_time,endtime)
Search WWH ::
Custom Search