Sorry for being unclear, an example request with response (entries which i can find with my searches):
85a54844766753b0 is a correlationId
Request entry:
2020-06-02 19:06:27,463 INFO com.Logger {
"origin" : "remote",
"type" : "request",
"correlationId" : "85a54844766753b0",
"protocol" : "HTTP/1.1",
"method" : "PUT",
"uri" : "http://myuri.net:4949/orders/123456/status",
"body" : {"status":"AUTO_CANCELED"}
}
Response entry:
2020-06-02 19:15:28,808 INFO com.Logger {
"origin" : "local",
"type" : "response",
"correlationId" : "85a54844766753b0",
"duration" : 541344,
"protocol" : "HTTP/1.1",
"status" : 204
}
So this is an example where a request with body {"status":"AUTO_CANCELED"} resulted in a response with over 50s response time. This is the information I need to identify which requests are taking a long time to finish since I have some load issues
So now with this query:
source="abc.log"
| rex "\"duration\" : (?\d+)"
| rex "\"correlationId\" : \"(?[^\"]+)"
| where duration > 50000
I can find entries in the event which have duration > 50000. For each entry in the event list, I would also like to see the connected request (not only response) so that I can figure out which request was sent in this case 🙂
What I currently do is that I have to copy the correlationId, make a new search for
source="abc.log"
\"correlationId\" : \"85a54844766753b0\"
To be able to see the actual request that resulted in a high duration for the response 🙂
... View more