Hello Splunkers
Hope you are doing good, appreciate beforehand all the time you take helping us out here.
So I'm in the dilemma of simulating a "PipeLine" in Splunk. This is to know at certain time intervals how many, let's say accounts, are being processed. That means, if account 1 started processing at 3:00 pm, then at the interval of 3:05, if account 1, is still not finished, I will have a pipeline of 1 and so on. Then, let's say account 1 finished processing, so it will be subtracted from the pipeline. I need a search for this is to be able to see how many accounts are in processing at certain time intervals.
For this matter, I have something like this:
index="app_log" sourcetype=accounts_calcs calc_status="accountcalc(1)" OR calc_status="accountcalc(2)" | timechart count by calc_status span=10m | ??
So, I know if an account started calculation if the status is equal to accountcalc(1) and an account finished calculation if the status is accountcalc(2). I need to say at certain time intervals how many accounts are in the process of calculation, so when I find a start, I will sum it and when I have a finish, I will perform a deduction. I need to take into consideration that I have different accounts of course, so even though I have 300 accounts that started calculation and then 200 finished, I need to check that the actual account that started is the same that finished in that time interval. If not, it will still be on the pipeline until that particular account finishes.
Truth is, I don't have too much idea how I can do it, so I'm asking for help
Regards
↧