Chapter 5: Correlation and Parameterization

The Correlation Workflow

Before we dive into specific extractors, let me give you the mental model for correlation. Think of it as a three-step dance that happens between every pair of dependent requests. Once you internalize this pattern, you can correlate anything -- HTML forms, JSON APIs, XML SOAP responses, even binary protocols.

The Three-Step Correlation Pattern

Correlation Flow

Step 1: Identify

Find the response that contains the dynamic value

→

Step 2: Extract

Add a Post Processor to capture the value into a JMeter variable

→

Step 3: Inject

Use ${variable_name} in subsequent requests

Step 1: Identify -- Finding the Source Response

This is the detective work. You need to figure out which response contains the value you need. Open the View Results Tree listener, run your test once, and look at the Response Body tab for each request. Search for the token value that you see hardcoded in the next request. For example, if your POST /login sends csrf=abc123, search for "abc123" in the response body of the GET /login that came before it.

Dynamic values can hide in unexpected places: response headers (Set-Cookie, X-Request-Id), response body (HTML hidden fields, JSON properties), redirect URLs (query parameters), and even sub-samples (embedded resources). Always check ALL parts of the response, not just the body.

Step 2: Extract -- Choosing the Right Extractor

JMeter gives you several Post Processors for extraction. Choosing the right one depends on the response format. This is like choosing the right tool from your toolbox -- you would not use a hammer to turn a screw.

Response Format	Best Extractor	When to Use
HTML pages	Regular Expression Extractor or CSS/JQuery Extractor	CSRF tokens in hidden fields, values in HTML attributes
JSON APIs	JSON Extractor	REST API responses, auth tokens, resource IDs
XML/SOAP	XPath Extractor	SOAP responses, XML-based APIs
Any format	Regular Expression Extractor	Fallback for anything -- headers, cookies, non-standard formats
Complex logic	JSR223 PostProcessor (Groovy)	When no built-in extractor can handle your case

Step 3: Inject -- Using the Extracted Variable

Once you extract a value into a variable (say, csrf_token), you reference it anywhere in JMeter using the ${csrf_token} syntax. This works in request bodies, URLs, headers, parameters -- literally anywhere you can type text in JMeter. JMeter replaces ${csrf_token} with the actual extracted value at runtime.

Where you can use ${variable_name}text

# In URL path:
GET /api/users/${user_id}/profile

# In request body (form data):
username=${username}&password=${password}&_csrf=${csrf_token}

# In request body (JSON):
{"orderId": "${order_id}", "token": "${auth_token}"}

# In HTTP Header Manager:
Authorization: Bearer ${jwt_token}
X-CSRF-Token: ${csrf_token}

# In another extractor's regex (chaining):
Regular Expression: "userId":"${user_id}","orderStatus":"(.+?)"

# Even in filenames for CSV Data Set Config:
test-data/${env}_users.csv

Where to Place the Extractor in the Test Plan

This trips up a lot of beginners. Post Processors are children of the sampler (request) whose response you want to extract from. If you want to extract a token from the response of "GET /login", you right-click on "GET /login" and add the extractor as a child. NOT as a child of the next request. NOT as a sibling. As a CHILD of the source request.

Correct Placement in Test Plan Treetext

Test Plan
└── Thread Group
    ├── GET /login                          <-- Source request
    │   └── Regular Expression Extractor    <-- CORRECT: child of source
    │       (extracts csrf_token)
    ├── POST /login                         <-- Uses ${csrf_token}
    │   └── JSON Extractor                  <-- Extracts auth_token from POST response
    │       (extracts auth_token)
    └── GET /api/dashboard                  <-- Uses ${auth_token}

# WRONG placement:
Test Plan
└── Thread Group
    ├── GET /login
    ├── Regular Expression Extractor        <-- WRONG: sibling, not child
    ├── POST /login
    └── GET /api/dashboard

If your extractor is not capturing anything, the first thing to check is placement. Drag it so it is indented under the correct request in the test plan tree. I have wasted hours debugging regex patterns only to realize the extractor was attached to the wrong request.

Q: Where should you place a Post Processor in JMeter, and what happens if you place it wrong?

A: A Post Processor should be added as a child of the HTTP sampler whose response contains the value you want to extract. If placed as a sibling or child of the wrong sampler, it will try to extract from the wrong response and either return an empty value or the wrong value. For example, if a CSRF token comes in the GET /login response, the Regular Expression Extractor must be a child of the GET /login sampler, not the POST /login sampler.

Key Point: Correlation follows a three-step pattern: Identify the source response, Extract the value with the right Post Processor placed as a child of the source sampler, and Inject using ${variable} syntax.

Previous Up NextRegular Expression Extractor -- The Swiss Army Knife