通过查询 logparser 来查找组以查找模式

发布于 2024-10-30 04:54:21 字数 2207 浏览 4 评论 0原文

我已经在另一个论坛上问过这个问题,但我没有没有得到任何答案或想法。我想做的是在发生特定场景时在日志文件中查找模式。

我想知道用户会话是否在 10 分钟之前超时,其中最后一个 GET 请求是 timeout.aspx 我能够解析出 aspnetsessionid 并按其分组,但我缺少另一部分。我需要减去该会话从开始到结束所花费的时间。

这是我如何开始的

   SELECT  
    TO_STRING(time, 'm') as mins,
        EXTRACT_TOKEN(EXTRACT_TOKEN(cs(Cookie), 1, 'ASP.NET_SessionId='), 0, ';+__ut') as    ASPNETSESSIONID From C:\logs\ex11*.log
    GROUP BY ASPNETSESSIONID, mins

这是一个在 10 分钟之前发生超时的情况示例

Line Number Date    Time    Client-IP   Server IP   Server Port Request Verb    Request URI, ASPNETSessionID
255 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /webpage.aspx   1234567890
256 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
257 4/1/2011    19:40:58    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
260 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 POST    /Formle.aspx    1234567890
261 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
263 4/1/2011    19:41:05    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
265 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 POST    /FormItemsTable.aspx    1234567890
266 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /FormRecord.aspx    1234567890
267 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
268 4/1/2011    19:41:12    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
273 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 POST    /FormRd.aspx    1234567890
274 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
275 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
276 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 GET /Timeout.aspx   1234567890

I already asked this on another forum but I didn't get any answers or ideas. What I am looking to do is to look for a patterns in my log files when a specific scenario is occurring.

I would like to know if a user session is getting timed out prior to 10 minutes where the last GET Request is to timeout.aspx
I was able to parse out the aspnetsessionid and group by that, but I am missing another part. I need to subtract the time taken from start to end of that session.

Here is how I started

   SELECT  
    TO_STRING(time, 'm') as mins,
        EXTRACT_TOKEN(EXTRACT_TOKEN(cs(Cookie), 1, 'ASP.NET_SessionId='), 0, ';+__ut') as    ASPNETSESSIONID From C:\logs\ex11*.log
    GROUP BY ASPNETSESSIONID, mins

Here is an example of a case where a timeout is ocuring prior to 10 min

Line Number Date    Time    Client-IP   Server IP   Server Port Request Verb    Request URI, ASPNETSessionID
255 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /webpage.aspx   1234567890
256 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
257 4/1/2011    19:40:58    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
260 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 POST    /Formle.aspx    1234567890
261 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
263 4/1/2011    19:41:05    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
265 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 POST    /FormItemsTable.aspx    1234567890
266 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /FormRecord.aspx    1234567890
267 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
268 4/1/2011    19:41:12    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
273 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 POST    /FormRd.aspx    1234567890
274 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
275 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
276 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 GET /Timeout.aspx   1234567890

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

Saygoodbye 2024-11-06 04:54:21

您可以使用相关子查询来导出第一个条目的时间吗?

例如...

WITH
  raw_data
AS
(
  -- Your query to derive the example data goes here
)
SELECT
  *,
  time - (SELECT MIN(time) FROM raw_data AS [initial] WHERE session_id = raw_data.session_id)
FROM
  raw_data

Could you use a correlated sub query to derive the time for the first entry?

For example...

WITH
  raw_data
AS
(
  -- Your query to derive the example data goes here
)
SELECT
  *,
  time - (SELECT MIN(time) FROM raw_data AS [initial] WHERE session_id = raw_data.session_id)
FROM
  raw_data
甜宝宝 2024-11-06 04:54:21

虽然这个问题有一个公认的答案,但我想说:这个逻辑不可能用 logparser 来实现。

Although there is an accepted answer on the question I would say: This logic is not possible to implement with logparser.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文