We have an application that logs every page that a user obtains. It appears that sometimes that the IIS session for one user is lost (as opposed to App pool recycling...). I am trying to find evidence from splunk logging.
If a User is logged on(has a session) we have a "UserName" being logged. If it is missing and on a secure page (required login to get to it), then the user is logged off. We have cases where we have two records within seconds where the UserName appears to disappear (not recorded in a record that would log it).
So:
"UserHostName" is used to find the client IP address
"host" is the server address
"date" is the date time
"UserName" is missing if not logged in, missing if session is ended and not on Aspx="~/Login.aspx"
What I am wanting to do is from the UserName missing record (found already) MinDate (when it first appear), find the prior record if it is within 20 minutes (1200 seconds).
In TSQL, something like Select UserHostName, DateDiff(m, Session.Date, NoSession.Date) FROM NoSession JOIN With Session ON NoSession.UserHostName=Session.UserHostName AND Session.Date < NoSession.Date WHERE DateDiff(m, Session.Date, NoSession.Date) < 20
In other words --- find when the prior to NoSession that the last session occurred. I have tried using Transaction but without easy success.