Databases Reference
In-Depth Information
| eval increment=if(_time=t,1,-1)
| eval _time=t
| sort 0 _time network increment
One thing to note at this point is that we have reset several values in
this query using commands. We have changed
_time
, and now we
have changed
increment
. A field can be changed as many times as
is needed, and the last assignment in the chain wins.
Now that our events are sorted by
_time
, we are finally ready for
streamstats
.
This command calculates statistics over a rolling set of events, in the order the
events are seen. In combination with our
increment
field, this command will
act just like
concurrency
, but will keep separate running totals for each of the
fields listed after
by
:
sourcetype=impl_splunk_gen network="*"
| eval endtime=_time+2
| eval t=mvappend(_time,endtime)
| mvexpand t
| eval increment=if(_time=t,1,-1)
| eval _time=t
| sort 0 _time network increment
| streamstats sum(increment) as concurrency by network
| search increment="1"
The last
search
statement will eliminate our synthetic end events.
Piping the results through
table _time network increment concurrency
,
we get these results:
Search WWH ::
Custom Search