Skip to main content
Sumo Logic

Lab 13 - Analyze Related Log Messages

The transaction operator, allows you to analyze related sequences of messages based on a unique transaction identifier such as a SessionID or IP Address. Transaction uses the unique identifier you specify to group related messages together and arrange them based on states which you define. This lab uses transaction to track the states a user hits within an e-commerce website called ecommark. This will allow you to conduct analysis on how users are interacting with the e-commerce website.

 

  1. Run a search for all ecommark log messages (_sourceCategory=Labs/ecommark) for the last 24 hours.

  2. Notice that each message contains details indicating the IP address and the state that was triggered. For example, “Order Shipped” and “GET /checkout/confirmation” are two possible states.

  3. Below is an example search using the transaction operator to capture the some possible states using IP address as the unique identifier. Copy this query into your log search window and use a timeframe of “Last 1 hour":

_sourceCategory=Labs/ecommark

| parse regex "(?<ip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" nodrop

| transaction on ip

with "*/confirmation*" as confirmation,

with "*Order shipped*" as ordershipped,

with "*/cart*" as cart,

with "*/shippingInfo*" as shippinginfo,

with "*/billinginfo*" as billinginfo

results by flow

  1. Now let’s understand how often each state was hit by using the count operator. Add a count by fromstate, tostate.

_sourceCategory=Labs/ecommark

| parse regex "(?<ip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" nodrop

| transaction on ip

with "*/confirmation*" as confirmation,

with "*Order shipped*" as ordershipped,

with "*/cart*" as cart,

with "*/shippingInfo*" as shippinginfo,

with "*/billinginfo*" as billinginfo

results by flow

| count by fromstate, tostate

  1. To chart these aggregate results, select the flowchart to see a Sankey Diagram of the transaction flow.

Bonus:

Remove or comment out the last 2 lines of your query. This will tell the transaction operator to ignore the order in which events happened and simply count the times each state was triggered for a given IP Address without regard for the order in which the states were triggered.