Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

concurrency

Synopsis

Given a duration field, finds the number of "concurrent" events for each event.

Syntax

concurrency duration=<field> [start=<field>] [output=<field>]

Required arguments

duration
Syntax: duration=<field>
Description: A field that represents a span of time.

Optional arguments

start
Syntax: start=<field>
Description: A field that represents the start time. Default is _time.
output
Syntax: output=<field>
Description: A field to write the resulting number of concurrent events. Default is "concurrency".

Description

Concurrency is the number of events that occurred simultaneously at the start time of the event, not the number of events that occurred during any overlap.

An event X is concurrent with event Y if (X.start, X.start + X.duration) overlaps at all with: (Y.start, Y.start + Y.duration)

Examples

Example 1

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, All time.

Use the duration or span of a transaction to count the number of other transactions that occurred at the same time.

sourcetype="access_*" | transaction JSESSIONID clientip startswith="*signon*" endswith="purchase" | concurrency duration=duration | eval duration=tostring(duration,"duration")

This example groups events into transactions if they have the same values of JSESSIONID and clientip, defines an event as the beginning of the transaction if it contains the string "signon" and the last event of the transaction if it contains the string "purchase".

The transactions are then piped into the concurrency command, which counts the number of events that occurred at the same time based on the timestamp and duration of the transaction.

The search also uses the eval command and the tostring() function to reformat the values of the duration field to a more readable format, HH:MM:SS.

ConcurrencyEx1.png


These results show that the first transaction started at 4:18 AM, lasted 1 hour 7 minutes and 17 seconds, and has a concurrency of 1. The concurrency number is inclusive, so this means that this was the only transaction taking place at 4:18 AM.

The second transaction started at 4:52:18 AM. At this time, the first transaction was still taking place, so the concurrency for this transaction is 2.


Example 2

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, Other > Yesterday.

Use the time between each purchase to count the number of different purchases that occurred at the same time.

sourcetype=access_* action=purchase | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | concurrency duration=timeDelta

This example uses the delta command and the _time field to calculate the time between one purchase event (action=purchase) and the purchase event immediately preceding it. The search renames this change in time as timeDelta.

Some of the values of timeDelta are negative. Because the concurrency command does not work with negative values, the eval command is used to redefine timeDelta as its absolute value (abs(timeDelta)). This timeDelta is then used as the duration for calculating concurrent events.

ConcurrencyEx2.png

These results show that the first and second purchases occurred at the same time. However, the first purchase has a concurrency=1. The second purchase has a concurrency=2, which includes itself and the first purchase event. Notice that the third purchase has a concurrency=1. This is because by the time of that purchase, 12:49 AM, the first purchase (which had timeDelta=49 seconds) already completed.


Example 3

This example uses the sample dataset from the tutorial. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, Other > Yesterday.

Use the time between each consecutive transaction to calculate the number of transactions that occurred at the same time.

sourcetype=access_* | transaction JSESSIONID clientip startswith="*signon*" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | concurrency duration=timeDelta | eval timeDelta=tostring(timeDelta,"duration")

This example groups events into transactions if they have the same values of JSESSIONID and clientip, defines an event as the beginning of the transaction if it contains the string "signon" and the last event of the transaction if it contains the string "purchase".

The transactions are then piped into the delta command, which uses the _time field to calculate the time between one transaction and the transaction immediately preceding it. The search renames this change in time as timeDelta.

Some of the values of timeDelta are negative. Because the concurrency command does not work with negative values, the eval command is used to redefine timeDelta as its absolute value (abs(timeDelta)). This timeDelta is then used as the duration for calculating concurrent transactions.

ConcurrencyEx3.png

Unlike Example 1, which was run over All time, this search was run over the time range Other > Yesterday. There were no concurrent transactions for these first two transactions.


Example 4

This example uses recent (October 18-25, 2010) earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains the source network (Src), ID (Eqid), version, date, location, magnitude, depth (km) and number of reporting stations (NST) for each earthquake over the last 7 days.

Download the text file, M 2.5+ earthquakes, past 7 days, save it as a CSV file, and upload it to Splunk. Splunk should extract the fields automatically. Note that you'll be seeing data from the 7 days previous to your download, so your results will vary from the ones displayed below.

Search for recent earthquakes in and around California that occurred at the same time.

source="eqs7day-M1.csv" Region="*California" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | concurrency duration=timeDelta | where concurrency>1

This example starts off with a search for all the earthquakes in the California area (Region="*California"). Then it calculates the time between each earthquake and the one before using the delta command. The absolute value of this change in time, timeDelta, is then used as the duration value to find concurrent earthquakes.

The events are piped into the where command to filter out events that don't have a concurrent event (concurrency>1).

ConcurrencyEx3.1.png

Here, this result shows you that there were two earthquakes (concurrency=2) that occurred on Tuesday, October 19, 2010 at 11:23:51 UTC (this is the Dateime value). But, this only shows 1 event.

What if you want to see more information about these events? For example, what was the magnitude of these two quakes and where did they occur? You have the Datetime value and can search for that over the time range, All time. Or you can use a subsearch:

source="eqs7day-M1.csv" [search source="eqs7day-M1.csv" Region="*California" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | concurrency duration=timeDelta | where concurrency>1 | table Datetime]

The original search is run first as a subsearch that uses the table command to return only the Datetime of the results. This Datetime is used in the outer search and returns the following events:

ConcurrencyEx3.2.png

Now, you can see that the two concurrent events occurred in Northern California, fairly close together, and with magnitudes of 1.1 and 1.2 respectively.


More examples

Example 1: Calculate the number of concurrent events for each event and emit as field 'foo':

... | concurrency duration=total_time output=foo

Example 2: Calculate the number of concurrent events using the 'et' field as the start time and 'length' as the duration:

... | concurrency duration=length start=et

See also

timechart

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the concurrency command.

PREVIOUS
collect
  NEXT
contingency

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters