Issues with sessionize

Comments

2 comments

  • Avatar
    Kevin Keech

    Hi Mark,

    From the log samples it appears there is no whitespace between "SessionId:" and the actual id value. In your sessionize operation you include a whitespace between the key and the value, which means the query will not actually match the logs. Also the second portion of your sessionize operation may not be distinct enough, since it also matches the second log message.

    Give the following a try and see if this gets you better results.

     

    * | sessionize "SessionId:* UserId:* " as (sessionid, userid), "SessionId:$sessionid Retrieved"

  • Avatar
    Mark White

    Hi Kevin,

     

    The space was a copy and paste error. I still don't get any results if I modify the second portion to be distinct (and I again verified with 'join', which worked but only presents the first line of each log message as it's output in 'Aggregates' instead of 'Messages' view).

Please sign in to leave a comment.