通过查询 logparser 来查找组以查找模式

发布于 2024-10-30 04:54:21 字数 2207 浏览 1 评论 0原文

我已经在另一个论坛上问过这个问题，但我没有没有得到任何答案或想法。我想做的是在发生特定场景时在日志文件中查找模式。

我想知道用户会话是否在 10 分钟之前超时，其中最后一个 GET 请求是 timeout.aspx 我能够解析出 aspnetsessionid 并按其分组，但我缺少另一部分。我需要减去该会话从开始到结束所花费的时间。

这是我如何开始的

   SELECT  
    TO_STRING(time, 'm') as mins,
        EXTRACT_TOKEN(EXTRACT_TOKEN(cs(Cookie), 1, 'ASP.NET_SessionId='), 0, ';+__ut') as    ASPNETSESSIONID From C:\logs\ex11*.log
    GROUP BY ASPNETSESSIONID, mins

这是一个在 10 分钟之前发生超时的情况示例

Line Number Date    Time    Client-IP   Server IP   Server Port Request Verb    Request URI, ASPNETSessionID
255 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /webpage.aspx   1234567890
256 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
257 4/1/2011    19:40:58    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
260 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 POST    /Formle.aspx    1234567890
261 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
263 4/1/2011    19:41:05    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
265 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 POST    /FormItemsTable.aspx    1234567890
266 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /FormRecord.aspx    1234567890
267 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
268 4/1/2011    19:41:12    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
273 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 POST    /FormRd.aspx    1234567890
274 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
275 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
276 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 GET /Timeout.aspx   1234567890

原文

I already asked this on another forum but I didn't get any answers or ideas. What I am looking to do is to look for a patterns in my log files when a specific scenario is occurring.

I would like to know if a user session is getting timed out prior to 10 minutes where the last GET Request is to timeout.aspx
I was able to parse out the aspnetsessionid and group by that, but I am missing another part. I need to subtract the time taken from start to end of that session.

Here is how I started

   SELECT  
    TO_STRING(time, 'm') as mins,
        EXTRACT_TOKEN(EXTRACT_TOKEN(cs(Cookie), 1, 'ASP.NET_SessionId='), 0, ';+__ut') as    ASPNETSESSIONID From C:\logs\ex11*.log
    GROUP BY ASPNETSESSIONID, mins

Here is an example of a case where a timeout is ocuring prior to 10 min

Line Number Date    Time    Client-IP   Server IP   Server Port Request Verb    Request URI, ASPNETSessionID
255 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /webpage.aspx   1234567890
256 4/1/2011    19:40:55    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
257 4/1/2011    19:40:58    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
260 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 POST    /Formle.aspx    1234567890
261 4/1/2011    19:41:04    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
263 4/1/2011    19:41:05    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
265 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 POST    /FormItemsTable.aspx    1234567890
266 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /FormRecord.aspx    1234567890
267 4/1/2011    19:41:10    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
268 4/1/2011    19:41:12    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
273 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 POST    /FormRd.aspx    1234567890
274 4/1/2011    19:41:23    222.222.22.22   111.11.111.11   443 GET /jscript/SessionTimeout/SessionTimeout.js   1234567890
275 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 POST    /VerifySession.aspx 1234567890
276 4/1/2011    19:41:25    222.222.22.22   111.11.111.11   443 GET /Timeout.aspx   1234567890

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

Saygoodbye 2024-11-06 04:54:21

您可以使用相关子查询来导出第一个条目的时间吗？

例如...

WITH
  raw_data
AS
(
  -- Your query to derive the example data goes here
)
SELECT
  *,
  time - (SELECT MIN(time) FROM raw_data AS [initial] WHERE session_id = raw_data.session_id)
FROM
  raw_data

Could you use a correlated sub query to derive the time for the first entry?

For example...

WITH
  raw_data
AS
(
  -- Your query to derive the example data goes here
)
SELECT
  *,
  time - (SELECT MIN(time) FROM raw_data AS [initial] WHERE session_id = raw_data.session_id)
FROM
  raw_data

回复收藏 0 原文