Hy everybody !
This is my first post, so don't hesitate to correct me, explain howto do it, or ask for further informations or configurations ...
Here's my problem :
I have eventlogs (from SPECTOR technologies) that looks like this :
dest user Action Starting Time Ending Time
server1 user1 Activity 01/07/2016 11:17 01/07/2016 11:27
server1 user1 Inactivity 01/07/2016 11:27 01/07/2016 16:32
server1 user1 Activity 01/07/2016 16:32 01/07/2016 16:34
server1 user1 Inactivity 01/07/2016 16:34 01/07/2016 16:38
server1 user1 Activity 01/07/2016 16:38 01/07/2016 16:41
server1 user1 Inactivity 01/07/2016 16:41 02/07/2016 17:21
server1 user1 Activity 04/07/2016 08:49 04/07/2016 09:11
server1 user1 Inactivity 04/07/2016 09:11 04/07/2016 09:14
server1 user1 Activity 04/07/2016 09:14 04/07/2016 09:45
server1 user1 Inactivity 04/07/2016 09:45 04/07/2016 09:50
server1 user1 Activity 04/07/2016 09:50 04/07/2016 09:50
server1 user1 Inactivity 04/07/2016 09:50 04/07/2016 11:30
As you can see, the end_time from one event can be linked to the start_time of the next one.
By chaining events, you can see that the user1 first session starts on 01/07/2016 11:17 and ends on 02/07/2016 17:21
which means a 30h04m long session.
I tried to use this : request |transaction dest user
But since there's nothing that looks like a transactionid or sessionid in my logs, it doesn't work ...
I can't build a id row (because users can have multiple sessions on a same server, and can run sessions on many days)
It's for a weekly report, so the request can be heavy, it doesn't matter
I can't chain request indefinitely, unless it's trough a form of loop (users can chain activity/Inactivities hundred of times per day ...)
Is there a way to achieve this with transaction ? If not, can you see another way to achieve this ? (macros, scripts .. ?? I'm open to any solution to do the job )
thanks in advance !
... View more