We are having a problem where requests are being sent to webservices but never return. I want to get a list of session numbers that sent a request to the webservice (XML Sent to Service) but did not get a response back (XML Response from Services). The following two lines are from Splunk that indexed our log4j logs of a successful purchase.
2013-07-26 14:48:45 - DEBUG:4LW5DNw1MdB5Rt5RhFUQCA__ - ExternalProcessManager.sendRequestToServices:(213) | XML Response from Services <?xml version="1.0" encoding="UTF-8"?> <purchaseresponse haserror="0"> <price>39.02</price> <product>G-200HA</product> <actioncode>New</actioncode>
Show all 49 lines
host=CA1CW-WEB01 Options| sourcetype=log4j Options| source=ca1cw-web01logslog4jcsatp.2013-07-26.log Options
2013-07-26 14:48:45 - DEBUG:4LW5DNw1MdB5Rt5RhFUQCA__ - ExternalProcessManager.sendRequestToServices:(202) | XML Sent to Service http:/oursite.com/quote-rs/purchase: <?xml version="1.0" encoding="UTF-8"?> <request><purchaserequest><actioncode>New</actioncode><aff>ha</aff><producer>HOMERTBO</producer><productclass>HOMEAWAYCP</productclass><plancode>A1</plancode>
Show all 49 lines
host=CA1CW-WEB01 Options| sourcetype=log4j Options| source=ca1cw-web01logslog4jcsatp.2013-07-26.log
How could we structure a query that uses rex to get the session number, then search for any session id's that did not log an (XML Response from Services)? I have tried this query and dont really know where to go from here:
sourcetype=log4j | rex ":dd - S+:(?<sessionid>S+) -.*<request><purchaserequest>" | search <response><purchaseresponse>