Extraction Rules in Web Application Transaction Monitoring

Extraction Rules can be useful when creating a synthetic transactions for a web request. If the page you need to monitor is using a unique session id that need to be passed on from the login request to the following request.

In this example the login form uses a unique identifier to prevent Cross-site request forgery (CSRF). This needs to be passed on to the following request.

Click the Add Monitoring Wizard from the Authoring pane.


Set a Name and select a Management Pack to save it in.


Enter an URL to proceed to the next step.


Choose one or more Watcher Nodes.


Click on Start Capture to start a recording.

Notice, there are some fulfilments to be met for the Internet Explorer window to be able to load the add-on running the web recorder. For example, IE10 is not support, you might need to run the IE window in 64-bit mode and enable third-party browser extensions (find out more here).


Browsing to a page will record the address as seen in the Web Recorder explorer bar.


I’ll create two recordings one for the login page and a second actually making the login. In the latter the form post variables will be displayed directly in the Web Recorder.


Now there are two recordings in the editor.


Pressing Run Test will display an error.


Taking a look at the source of the login page reveals the hidden csrf variable.


In the code a new session variable will be generated whenever entering the login page.


Now it’s time to use the Extraction Rules. You can locate the tab under Properties for the request in question.


Click the Add button to open the Add Extraction Rule window. From the source code we know that the variable entry starts with csrf” value=” and ends with a .


Now it is time to add that variable to the next request. Click Insert Parameter at the General tab to insert it to the Response Body.


Select the previously created parameter and insert it to the Response Body.


The test will is now successful.


In the Monitoring pane under the view Web Application State the state is Healthy.


For another example see the TechNet page: http://technet.microsoft.com/en-us/library/gg494976.aspx


SCOM 2007 R2, SCOM 2012, Web Application Monitoring

5 responses to Extraction Rules in Web Application Transaction Monitoring

  1. Ravi

    As you could see that the username and password are visible in test result, is there any way we could hide them or if we could use runas account?

    FYI: I tried with Transaction monitoring and removed all the text under the POST method (as depicted at your post in insert.png image) (assuming that it will throw an error in absence of credentials) but still my web app is showing healthy 🙁 don’t know why…..still investigating it…..appreciate if you could have any pointers for this issue.


  2. Markus

    Maybe you do not need to extract anything to move on with your requests? Then you could just use a runas account.

  3. Rav

    Hi Markus!
    I know its an old post but it’s the only one i found explaining this 🙂 Thank you for this post!
    I hope you get this reply.
    My situation is similar but different 🙂 the session variable that can be declared as a variable is being passed using GET instead of POST and we cannot use the insert parameter option for a GET.

    Have you come across this? How can we insert the variable into the GET part of the next link?

    Immediately after the login action, i see this in the request body bttoken=$SessionContext/bttoken$
    Is it possible to insert this in GET?

    • Markus

      Hello Rav!
      You should be able to put the extracted value into the URL of the next request. There is an insert button for Parameters if you open the Properties window for a request.

  4. Promod

    What is requirement to create recorded browse session for web site

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.