As part of our index, we log events for every request we make to our downstream systems. Each system which receives a request appends a TraceContext (GUID) to the incoming TraceContext. Idea is to have a way to get the chain of events.
Here are sample set of event messages:
SourceName=QueryAPI
EventCode=11
Payload={
"TraceContext":"__91e30cbc-5bf7-43cb-b615-ce83e3abad36|662deb50-22bc-4211-bf19-a49acc2a790d__",
"EventName":"Start"
}
SourceName=QueryAPI
EventCode=10
Payload={
"TraceContext":"__91e30cbc-5bf7-43cb-b615-ce83e3abad36|662deb50-22bc-4211-bf19-a49acc2a790d__|5a595ffe-9a5d-4abd-93fb-d57c3f427af0",
"EventName":"Receive"
}
SourceName=QueryAPI
EventCode=9
Payload={
"TraceContext":"__91e30cbc-5bf7-43cb-b615-ce83e3abad36|662deb50-22bc-4211-bf19-a49acc2a790d__|5a595ffe-9a5d-4abd-93fb-d57c3f427af0",
"EventName":"Send"
}
SourceName=QueryAPI
EventCode=12
Payload={
"TraceContext":"__91e30cbc-5bf7-43cb-b615-ce83e3abad36|662deb50-22bc-4211-bf19-a49acc2a790d__",
"EventName":"Stop"
}
I am running the search below to identify the starting event TraceContext and using that in subsearch, hoping to see all the matching events, but my search does not produce any events:
index=IndexName SourceName=SomeName [search index=IndexName SourceName=SomeName EventCode=11 | table TraceContext]
If I just run the subsearch search separately and use the TraceContext string and use that for a new search, I can find all the matching events.
index=IndexName SourceName=SomeName EventCode=11 | table TraceContext
-> returns "91e30cbc-5bf7-43cb-b615-ce83e3abad36|662deb50-22bc-4211-bf19-a49acc2a790d"
and running
index=IndexName SourceName=SomeName "91e30cbc-5bf7-43cb-b615-ce83e3abad36|662deb50-22bc-4211-bf19-a49acc2a790d"
returns all records. I am not sure what am I doing wrong.
↧