Running a policy trace in Cloud SWG you may be familiar with the trace headers that look like these:

start transaction -------------------
transaction ID=1233 type=tcp.tunnel Tenant id='123456789' Policy version=4234 Policy type=Enforcement_point
transaction UUID=6a8754a9b9922ca5-0000000000001200-0000000067cad86b
    TUNNEL tcp://###.###.###.###:443/

start transaction -------------------
transaction ID=1234 type=ssl.tunnel Tenant id='123456789' Policy version=4234 Policy type=Enforcement_point
transaction UUID=6a8754a9b9922ca5-0000000000001202-0000000067cad771
transaction handed off from: 1233
    unknown ssl://www.example.com:443/

start transaction -------------------
transaction ID=1235 type=https.forward-proxy Tenant id='123456789' Policy version=4234 Policy type=Enforcement_point
transaction UUID=6a8754a9b9922ca5-0000000000001203-0000000067cad8a0
transaction handed off from: 1234
    HEAD https://www.example.com

And you can also see the transaction UUID in Cloud SWG reports by selecting the "transaction id" column (this is not available on the customer portal views):

You may also encounter the transaction uuid in HTTP debug logs.

Cloud SWG Internal systems

The Transaction UUID is created by the Edge SWG devices running in the Cloud and it is used by the Edge SWG to identify transactions.

Contrary to its name this string is not a UUID. Rather it is a string build from 3 parts that are 64-bit long, printed in HEX (making each field 16 char long) and delimited by hyphens.

The 3 fields used to make up the transaction-uuid are:

1. a boxid
2. an event counter
3. a timestamp

The Boxid is used to identify the Edge SWG device uniquely. It is created when the device is first booted and remains unchanged until the OS is upgraded or factory reset.

The event counter, as the name implies, is a 64-bit integer (most likely unsigned) that is incremented by the SGOS. This field can be seen incremented by 1 or more between sequential transactions so it probably is also used with internal events. 

Finally the timestamp is the current Unix time when the transaction processing starts.

The boxid can be used to correlate transactions to Cloud SWG pod / proxy.

The event counter can be used to sort events when you have many transactions from the same box with the same timestamp.

And the timestamp can be used to calculate the transaction duration if you are troubleshooting past issues and can't access the log files (the date time from the log files are marking the end of the transaction, so if you convert it to Unix time you can then subtract the int value of the timestamp field to get the duration.

Here are formulas that can be used in Google sheet to do calculate the duration (assuming the data we want to convert is in position A1):

 <log-epoch> = (A1 - DATE(1970,1,1)) * 86400
<uuid-epoch> = HEX2DEC(LEFT(INDEX(SPLIT(A1, "-"), 3),8)) + HEX2DEC(RIGHT(INDEX(SPLIT(A1, "-"), 3),8))
  <duration> = <log-epoch> - <uuid-epoch>

And here is a sample Google sheet with the formulas in use (with hand-made data):