Hi All,
We have a number of micro services with correlation id flowing across the request and responses. What i'm trying to do is to create a flow of request and response for 1 correlation id.
Example log
| correlation id | time | source | message |
| 123 | 12:00:00 | Service A | Enter service A |
| 123 | 12:00:01 | Service A | Calling Service B |
| 123 | 12:00:02 | Service B | Routing to Service C |
| 123 | 12:00:03 | Service C | Result Found. Response User 1 |
| 123 | 12:00:04 | Service B | Using User 1 to find resource |
| 123 | 12:00:05 | Service B | Resource Found. Calling Service D |
| 123 | 12:00:06 | Service D | Sub-resource not found. Response: null |
| 123 | 12:00:07 | Service B | Return result. Response User1, resource1 |
| 123 | 12:00:08 | Service A | Return User1, resource1 |
From the example log, i would like to be able to group
Service A (12:00:00 -12:00:01)
Service B (12:00:02)
Service C (12:00:03)
Service B (12:00:04 -12:00:05)
Service D (12:00:06)
Service B (12:00:07)
Service A (12:00:08)
What i'm trying to do right now is a simple event results first before going to any further fancy visualization.
I tried using Transaction but i can't separate the source when there's a different call in between.
Here's the query that i've tried
123
| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| sort - _time
| transaction source
Any help is greatly appreciated.
Thanks,
Allen
