Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

concurrency

Description

Concurrency measures the number of events which have spans that overlap with the start of each event. Alternatively, this measurement represents the total number of events in progress at the time that each particular event started, including the event itself. This command does not measure the total number of events that a particular event overlapped with during its total span.

Syntax

concurrency duration=<field> [start=<field>] [output=<field>]

Required arguments

duration
Syntax: duration=<field>
Description: A field that represents a span of time. This field must be a numeric with the same units as the start field. For example, the duration field generated by the transaction command is in seconds (see Example 1), which can be used with the default of _time which is also in units of seconds.

Optional arguments

start
Syntax: start=<field>
Description: A field that represents the start time.
Default: _time
output
Syntax: output=<field>
Description: A field to write the resulting number of concurrent events.
Default: "concurrency"

Usage

An event X is concurrent with event Y if X.start is between Y.start and (Y.start + Y.duration)

If your events have a time that represents event completion and a span that represents the time before the completion, you need to subtract duration from the start time before the concurrency command:

... |eval new_start = start - duration | concurrency start=new_start duration=duration

Limits

There is a limitation on quantity of overlapping items. If the maximum tracked concurrency exceeds max_count, from the [concurrency] stanza in limits.conf, a warning will be produced in the UI / search output, and the values will be clamped, making them potentially inaccurate. This limit defaults to 10000000 or ten million.

Examples

Example 1

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to your Splunk deployment. Then, run this search using the time range, All time.

Use the duration or span of a transaction to count the number of other transactions that occurred at the same time.

sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | concurrency duration=duration | eval duration=tostring(duration,"duration")

This example groups events into transactions if they have the same values of JSESSIONID and clientip, defines an event as the beginning of the transaction if it contains the string "view" and the last event of the transaction if it contains the string "purchase".

The transactions are then piped into the concurrency command, which counts the number of events that occurred at the same time based on the timestamp and duration of the transaction.

The search also uses the eval command and the tostring() function to reformat the values of the duration field to a more readable format, HH:MM:SS.

Searchref concurrency ex2.1.png

Example 2

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to your Splunk deployment. Then, run this search using the time range, Other > Yesterday.

Use the time between each purchase to count the number of different purchases that occurred at the same time.

sourcetype=access_* action=purchase | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | concurrency duration=timeDelta

This example uses the delta command and the _time field to calculate the time between one purchase event (action=purchase) and the purchase event immediately preceding it. The search renames this change in time as timeDelta.

Some of the values of timeDelta are negative. Because the concurrency command does not work with negative values, the eval command is used to redefine timeDelta as its absolute value (abs(timeDelta)). This timeDelta is then used as the duration for calculating concurrent events.

Searchref concurrency ex1.1.png

Example 3

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, Other > Yesterday.

Use the time between each consecutive transaction to calculate the number of transactions that occurred at the same time.

sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | concurrency duration=timeDelta | eval timeDelta=tostring(timeDelta,"duration")

This example groups events into transactions if they have the same values of JSESSIONID and clientip, defines an event as the beginning of the transaction if it contains the string "view" and the last event of the transaction if it contains the string "purchase".

The transactions are then piped into the delta command, which uses the _time field to calculate the time between one transaction and the transaction immediately preceding it. The search renames this change in time as timeDelta.

Some of the values of timeDelta are negative. Because the concurrency command does not work with negative values, the eval command is used to redefine timeDelta as its absolute value (abs(timeDelta)). This timeDelta is then used as the duration for calculating concurrent transactions.


Searchref concurrency ex3.1.png


Example 4

Determine the number of overlapping HTTP requests outstanding from browsers accessing splunkd at the time that each http request begins.

This relies on the fact that the timestamp of the logged message is the time that the request came in, and the 'spent' field is the number of milliseconds spent handling the request. As always, you must be an 'admin' user, or have altered your roles scheme in order to access the _internal index.

index=_internal sourcetype=splunkd_ui_access | eval spent_in_seconds = spent / 1000 | concurrency duration=spent_in_seconds

More examples

Example 1: Calculate the number of concurrent events for each event and emit as field 'foo':

... | concurrency duration=total_time output=foo

Example 2: Calculate the number of concurrent events using the 'et' field as the start time and 'length' as the duration:

... | concurrency duration=length start=et

See also

timechart

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the concurrency command.

PREVIOUS
collect
  NEXT
contingency

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Comments

Woodcock

Thanks for pointing this out! I have updated the text accordingly.

Lstewart splunk, Splunker
January 8, 2016

You have an error. You say this:

the total number of events in progress during the time that each particular event started

Yet if I do this:

index=* | head 1 | eval duration=100 | concurrency start=_time duration=duration

I get concurrency=1; therefor you should say this:

the total number of events in progress AT the time that each particular event started, INCLUDING THE EVENT ITSELF.

Woodcock
January 7, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters