Hey, monks. I've got a bit of a philosophical question for you.

I've worked with log parsing a lot, and a few times the problem of session times has come up. A session, from a log parsing perspective, is what is created when a log contains start and stop records for a login-based service. RADIUS and web sessions are good examples of these.

The problem which the higher ups generally need solved is, "How many people are/were on at <time>?" where <time> may be "now", "5:04:02 yesterday", or "between 2:00 and 10:00 two thursdays ago". How to find answers in a quick and elegant way is more difficult than it probably seems.


The philosophical part is this: there are easy ways to get these answers, but all seem to me to be inefficient and kludgy:

1 - One can run through the log, keeping track of session openings and closings until the specified time (or interval) is reached, and then count. For logs where sessions can be infinite, and for very long logs, this is an extremely poor way of doing things.

2 - One can save logon and logoff times in a data structure, and count the number of sessions for which the time(s) you're looking for fall between the first and last time values. This is a little better, but it still requires running through the whole dataset to find a single answer.

3 - One can also pick a granularity (say, by the hour) and simply track how many sessions exist for each unit of time. This allows one to jump to an answer quickly, but doesn't work if we use a granularity of an hour, and want to know how many sessions existed at 13:02:56 yesterday. If you make the granularity one second, though, your data set ends up huge with a large log.

To summarize, I'm looking for an elegant solution which will allow the discovery of the number of sessions active at a given time (granularity to the second) without traversing the whole data structure to find it, and without logging the number of sessions active each second. Does such a solution exist?

PS: If there's a module, meditation, snippet, or piece of code that does this, you can lash me with a wet noodle. I couldn't find it.
--

Love justice; desire mercy.

In reply to How to do session times The Right Way by strider corinth

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.