Determining concurrency
Determining the number of users currently using a system is difficult, particularly if the log does not contain events for both the beginning and end of a transaction. With web server logs in particular, it is not quite possible to know when a user has left a site. Let's investigate a couple of strategies for answering this question.
Using transaction with concurrency
If the question you are trying to answer is "how many transactions were happening at a time?", you can use transaction to combine related events and calculate the duration of each transaction. We will then use the concurrency command to increase a counter when the events start, and decrease when the time has expired for each transaction. Let's start with our searches from the previous section:
sourcetype="impl_splunk_web" | transaction maxpause=5m uid
This will return a transaction for every uid, assuming that if no requests were made for five minutes, the session is complete. This provides results as...
