Hi all,
I am trying to extract usage duration patterns for our web app, from login to either logout, or when the user stops sending requests to the server. I can get the session duration with a transaction that starts with the login event, and ends with either a logout or a session expiry event, but sessions only expire some time after the last user activity. I don't want to capture this "idle time".
Our web app logs what users are doing with the app, from login to either logout or session purge. It looks somewhat like this:
2017-09-28 12:55:36,595 event_id="auth:login:success" email="johndoe@example.com" [....]
2017-09-28 12:56:00,010 event_id="app:web:request" email="johndoe@example.com" [....]
2017-09-28 12:56:01,243 event_id="app:web:request" email="johndoe@example.com" [....]
[...]
2017-09-28 12:57:12,243 event_id="auth:logout:success" email="johndoe@example.com" [....]
Of course, quite often, users won't explicitly logout. They just close the browser window and let the session expire. In that case, the logs look somewhat like this:
2017-09-28 12:55:36,595 event_id="auth:login:success" email="johndoe@example.com" [....]
2017-09-28 12:56:00,010 event_id="app:web:request" email="johndoe@example.com" [....]
2017-09-28 12:56:01,243 event_id="app:web:request" email="johndoe@example.com" [....]
[...]
2017-09-28 13:26:01,243 event_id="auth:session-purge:success" email="johndoe@example.com" [....]
I have the following search that shows how long people's sessions were, but when users don't explicitly logout, it counts all the idle time before a session expires.
[...] email!="" (event_id="auth:*" OR event_id="app:web:request")
| transaction email
startswith=(event_id="auth:login:success")
endswith=(event_id="auth:session-purge:success" OR event_id="auth:logout:success")
| eval end_time_s=_time+duration
| eval start_time=strftime(_time,"%m/%d/%y %H:%M:%S")
| eval end_time=strftime(end_time_s,"%m/%d/%y %H:%M:%S")
| eval dur_time=tostring(duration,"duration")
| sort by -start_time
| table start_time,end_time,dur_time,email
This works, but when a user gets logged out because their session expires, I get all the idle time as well, even if the user did nothing after their first request.
What I would like to express in search is the following:
if the transaction ends with event_id="auth:session-purge:success" , then use _time of the last log entry within the transaction where event_id="app:web:request" to calculate the duration. Otherwise, use the time of the logout event.
How would I do this?
... View more