Hi everybody ...
i have these kind of logs in my environment. every transaction has these 4 log messages but there is no unique id for every transaction. simply it's generating this kind of message, but there is no information to correlate this information for 1 particular transaction. but i need to find the INFORMATION whatever in between inbound and outbound. can anyone help me in that?
Thanks in advance.![alt text][1]
Give this a try. This should group relevant transaction events together.
Your base search | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield
If you're looking for specific output, please provide a sample/details of that.
Give this a try. This should group relevant transaction events together.
Your base search | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield
If you're looking for specific output, please provide a sample/details of that.
index=ccsp_test_was source="/usr/WASLogs700/cdhpws_uat*_/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse"
AND "Outbound Message" OR "Inbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode"
OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" |rex "(?Inbound|Outbound)" |eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield | rex "ID:(?.)"
|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?.)" |rex "(?.)"|rex "(?.)" | rex "(?.)" | rex "(?.)" |rex "(?.)" |rex "(?.)"|rex "(?.)"| rex "(?.)"|rex "(?.)" |rex "provZipCode assigned to zipCode:(?.)"| rex "memZipCode assigned to zipCode:(?.*)"|stats max(_time) as startTime,min(_time) as endTime,values(info) as Info,values(ResponseTime) as responseTime,values(StatusCode) as StatusCode,values(message) as StatusMessage,values(CorpEntCd) as corpEntCd,values(costlvlpctl) as Costlvlpctl,values(CptCode) as cptCode,values(GroupNbr) as GroupNbr,values(MemZipCode) as memZipCode,values(procdchrgamt) as ProcChrgamt,values(ProvZipCode) as ProvZipCode,values(SectionNbr) as SectionNbr,values(ServiceDate) as ServiceDate,values(tretcatcd) as TretCatCd,values(tretcatname) as TretCatName,values(bnftAgrmtNbr) as bnftAgrmtNbr,values(acctNbr) as acctNbr,values(provassignZip) as provassignZip,values(memzipassignzip) as memzipassignzip by id,source
|eval responseTime=startTime-endTime |eval StartTime=strftime(startTime,"%Y-%m-%d %H:%M:%S,%3N")|eval EndTime=strftime(endTime,"%Y-%m-%d %H:%M:%S,%3N")
|table id,Info,StartTime,EndTime,responseTime,StatusCode,StatusMessage,source,corpEntCd,Costlvlpctl,cptCode,GroupNbr,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,provassignZip,memzipassignzip
could you please help me in this while adding those above code into my search am getting results but responsetime is coming because am loosing the time for outbound message because i nedd to display the transaction starttime endtime in the final result...thanks in advance..
index=ccsp_prd_was source="/usr/WASLogs700/cdhpws_/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Inbound Message" OR "Outbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode" OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" | rex "ID:(?.)" |rex "(?Inbound|Outbound)" | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield by id.....
am using this query in the production ...Their has 1 or 2 requests not properly combined because ,,,for those requests will have first outbound message and afterwards inbound message.......could you please tell me how can i change the query....
thanks in advance....
Any specific reasons why the outbound message came before inbound? My answers rely on the order of inbound and outbound messages and will not work if the order is changed.
I don't Know... Even i have check the timestamp..time stamp is good ...once inbound processed then only outbound message processing ..but in the logs it has written like that..for some of the requests...
sometimes simultaneously 2 requests are processing ...that's why i am getting the at a time 2 Inbound and outbound messages.... like this order
outbound 28773
inbound 28773
outbound 28772
outbound 28771
inbound 28772
inbound 28771
It would be really difficult to differentiate two concurrent simultaneously without a unique identifier. May be check with log source on how you can get that added.
the log source is also same bro..
May be your need to sort the events by timestamp so that order is proper? Try adding | sort 0 -_time
before eval transfield
.
Can there be more that one transactions going one at the same time?
No for each transaction their is diff of some milliseconds.