The Sessionize operator allows you to use an extracted value from one log message (generated from one system) to find correlating values in log messages from other systems. After you run Sessionize, these related events are displayed on the same page. The thread of logs woven together is called a session.
Depending on your use case, you could also use the Join operator, which may be more appropriate and easier to use.
For example, let's say we have the value of a userRequestId, which entered a distributed system; the request goes through systems named Service, Stream, and Config:
Each system generated log messages, so we know that at some point a failure occurred. We know the userRequestID value from the log files from the Service machine, and we know the serviceSessionId, streamRequestId, and configSessionId. Using Sessionize, we can weave together these disparate logs to identify where the failure occurred.
sessionize (anchor pattern1) as (alias list1), (anchor pattern2) as (alias list2)
Where anchor pattern is like a parse anchor expression, except that it can include variables from previous expressions (using
- The Sessionize operator is followed by more than one anchor expression.
- Each anchor expression can be used to extract one or more variables from a matching log.
- You can use the extracted variable to join with a second log message containing that variable using a $variableName notation.
After using the Trace operator to find related sessions, you can use the Sessionize operator to refine the results.
(SearchServiceImpl Creating Query) or (Stream SessionId using searchSessionId) or (Started search with sessionId)
| sessionize "session: '*', streamSessionID: '*'" as (serviceSessionId, streamSessionId),
"Stream SessionId=$streamSessionId using searchSessionId=* and rawSessionId=*" as (searchSessionId, rawSessionId),
"Started search with sessionId: $searchSessionId, customerId: *, query: *" as (customerId, query)
We can break this down to:
- Specify the search conditions that correlate three types of logs (not strictly required, but recommended).
- Extract serviceSessionId and streamSessionId from the first log type.
- Join with the second log type using serviceSessionId, and use that ID to extract searchSessionId and rawSessionId.
- Join with the third log type using searchSessionId extracted in line three.