Search code examples
sqlt-sqliislogparser

Whiting a group by query for logparser to look for a pattern

I already asked this on another forum but I didn't get any answers or ideas. What I am looking to do is to look for a patterns in my log files when a specific scenario is occurring.

I would like to know if a user session is getting timed out prior to 10 minutes where the last GET Request is to timeout.aspx I was able to parse out the aspnetsessionid and group by that, but I am missing another part. I need to subtract the time taken from start to end of that session.

Here is how I started

   SELECT  
    TO_STRING(time, 'm') as mins,
        EXTRACT_TOKEN(EXTRACT_TOKEN(cs(Cookie), 1, 'ASP.NET_SessionId='), 0, ';+__ut') as    ASPNETSESSIONID From C:\logs\ex11*.log
    GROUP BY ASPNETSESSIONID, mins

Here is an example of a case where a timeout is ocuring prior to 10 min

Line Number Date    Time    Client-IP   Server IP   Server Port Request Verb    Request URI, ASPNETSessionID
255 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /webpage.aspx   1234567890
256 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
257 4/1/2011    19:40:58    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
260 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 POST    /Formle.aspx    1234567890
261 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
263 4/1/2011    19:41:05    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
265 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 POST    /FormItemsTable.aspx    1234567890
266 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /FormRecord.aspx    1234567890
267 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
268 4/1/2011    19:41:12    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
273 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 POST    /FormRd.aspx    1234567890
274 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
275 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
276 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 GET /Timeout.aspx   1234567890
Solution

  • Although there is an accepted answer on the question I would say: This logic is not possible to implement with logparser.