Skip to main content
Sumo Logic

Lab 12 - Analyze Related Log Messages

This lab will teach you how Transaction Analytics provides insight into correlated events helping you identify issues and visualize the flow of data.
The transaction operator, allows you to analyze related sequences of messages based on a unique transaction identifier such as a SessionID or IP Address. Transaction uses the unique identifier you specify to group related messages together and arrange them based on states which you define. This lab uses transaction to track the states a user hits within an e-commerce website called ecommark. This will allow you to conduct analysis on how users are interacting with the e-commerce website.


  1. Run a search for all ecommark log messages (_sourceCategory=Labs/ecommark) for the last 24 hours.

  2. Notice that each message contains details indicating the IP address and the state that was triggered. For example, “Order Shipped” and “GET /checkout/confirmation” are two possible states.

  3. Below is an example search using the transaction operator to capture the some possible states using IP address as the unique identifier. Copy this query into your log search window and use a timeframe of “Last 24 hours":


| parse regex "(?<ip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" nodrop

| transaction on ip

with "*/confirmation*" as confirmation,

with "*Order shipped*" as ordershipped,

with "*/cart*" as cart,

with "*/shippingInfo*" as shippinginfo,

with "*/billinginfo*" as billinginfo

results by flow

| count by fromstate, tostate

  1. Click on your data flow chart to see the visual of the transactions. If you hover over any stage you will see details of that particular stage which may be very useful for identifying a problem or in providing you insight data.

Screen Shot 2021-04-16 at 4.20.55 PM.png

Test Your Knowledge

Remove or comment out the last 2 lines of your query. This will tell the transaction operator to ignore the order in which events happened and simply count the times each state was triggered for a given IP Address without regard for the order in which the states were triggered.