Hello All,
I'm trying to get the duration from the transaction. The problem here is I've duplicate start events and the transaction is taking the latest duplicate event. Is there a way I can get the transaction of the first duplicate event?
First event (request 1) :
{"evt":146965680,"intelId":"54","intelSeq":2044838,"intelVer":"1","time":"2016-07-27T22:00:02.806Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp212823539","wMethod":"GET","wResource":"https://abc/v2/products/1513131?key=yqtYwkTVvgA","intelCropped":false,"intelLength":354}
Second event (request 2) :
{"evt":146965680,"intelId":"54","intelSeq":2044838,"intelVer":"1","time":"2016-07-27T22:01:03.906Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp212823539","wMethod":"GET","wResource":"https://abc/v2/products/1513131?key=yqtYwkTVvgA","intelCropped":false,"intelLength":354}
Response :
{"evt":146965686,"intelId":"51","intelSeq":2046000,"intelVer":"1","time":"2016-07-27T22:01:02.999Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp2128235399-8101","wStatus":200,"wDurationMicros":25000,"wSize":"15638","intelCropped":false,"intelLength":278}
Below is the query I wrote.
index=myindex sourcetype=jlp_intel_v2 "intelId":"54" OR "intelId":"51"
| transaction uiCorrelationIdV1 maxspan=65s startswith=wMethod endswith=wStatus
| eval difference = duration
| table uiCorrelationIdV1 difference
| sort -difference
I've done the transaction of request events with response event and it always shows the duration between the response and request 2 ignoring the request1.
Can someone please help me?
Thanks in advance.
↧