< Back to Best Practices

Example of combining transaction search with macro and form search

REQUEST:

Report on a field from a "request" message if and only if the matching "response" message contains a certain error message.

This is a totally fake example, but it's simple enough to get the point across.

LOG:

request: transaction_id=12444 accountNumber=987654321 action=upgrade

response: transaction_id=12444 error="already closed"

request: transaction_id=55555 accountNumber=987654321 action=upgrade

response: transaction_id=55555 error="success"

request: transaction_id=44444 accountNumber=987654311 action=upgrade

response: transaction_id=44444 error="already closed"

request: transaction_id=12244 accountNumber=987654311 action=upgrade

response: transaction_id=12244 error="success"

STEPS TO CREATE THE SEARCH:

1. Search for your requested events. (I just used a search by source)

2. Pipe to the transaction command based on the same transaction_id field.

3. Search again just for the events with the error="already closed"

source="/Users/mzax/tmp/cox2.log" | transaction fields=transaction_id | search error="already closed"

4. Change the error field to a macro field.

source="/Users/mzax/tmp/cox2.log" | transaction fields=transaction_id | search $error$

5. Save the search. (I called it try_cox_trans)

Now you can run this with any error message that you want.

| savedsearch try_cox_trans error="already closed"

You'll get only the grouped events that has the error=<something> field.

Then if you want reports on those, you can pipe to the chart command based on any field from the events.

source="/Users/mzax/tmp/cox4.log" | transaction fields=transaction_id | search $error$ | chart count(action) by accountNumber

You can save this search and use it as a form search. i.e. select this from the saved search list.