Let's break down the search piece by piece:
Search fragment |
Description |
index=main sourcetype=access_combined |
You should be familiar with this search from the recipes in previous chapters. It is used to return events from the website access log. |
| join JSESSIONID usetime=true earlier=false [ search index=main sourcetype=log4j | transaction threadId maxspan=5m | eval JSESSIONID=sessionId ] |
Using the join command, we execute a subsearch to return matching events from the web application log. The JSESSIONID field is used as the unique value to join the events on. Within the subsearch, we leverage the transaction command to group all application events together based on their threadId, which is a unique ... |