Issues with sessionize
I've got log entries looking like:
from controllers.Logged in play-akka.actor.default-dispatcher-446 SessionId:ztlIsYFI Retrieved Logic3
from services.UserService in play-akka.actor.default-dispatcher-443 SessionId:ztlIsYFI UserId:14223 Fetched user
It's useful to be able to view it with the user id against every entry. It seems I should be able to sessionize these by user with:
* | sessionize "SessionId: * UserId: * " as (sessionid, userid), "SessionId: $sessionid "
but it doesn't return any results. This does work, but the output format isn't great:
* | join (parse "*SessionId:* " as message,sessionid) as all, (parse "SessionId:* UserId: * " as sessionid,userid) as user on all.sessionid=user.sessionid
Any idea why this sessionize wouldn't return any results?
From the log samples it appears there is no whitespace between "SessionId:" and the actual id value. In your sessionize operation you include a whitespace between the key and the value, which means the query will not actually match the logs. Also the second portion of your sessionize operation may not be distinct enough, since it also matches the second log message.
Give the following a try and see if this gets you better results.
* | sessionize "SessionId:* UserId:* " as (sessionid, userid), "SessionId:$sessionid Retrieved"
The space was a copy and paste error. I still don't get any results if I modify the second portion to be distinct (and I again verified with 'join', which worked but only presents the first line of each log message as it's output in 'Aggregates' instead of 'Messages' view).
Please sign in to leave a comment.