If the question you are trying to answer is how many transactions were happening at a time, you can use transaction to combine related events and calculate the duration of each transaction. We will then use the concurrency command to increase a counter when the events start and decrease when the time for each transaction has expired. Let's start with our searches from the previous section:
sourcetype="impl_splunk_web" | transaction maxpause=5m uid
This will return a transaction for every uid, assuming that if no requests were made for 5 minutes, the session is complete. This provides results as shown in the following screenshot:
By simply adding the concurrency command, we can determine the overlap of these transactions and find out how many transactions were occurring at a time. Let's also add the table and sort commands to create a table:
sourcetype="impl_splunk_web" | transaction maxpause=5m uid | concurrency duration=duration | table _time concurrency duration eventcount | sort _time
This produces a table as follows:
From these results, we can see that as transactions begin, concurrency increases, and then it levels off as transactions expire. In our sample data, the highest value of concurrency we see is 6.