Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Grow your Fabric skills and prepare for the DP-600 certification exam by completing the latest Microsoft Fabric challenge.

Reply
That1Guy
Frequent Visitor

Concurrency using iis logs without duration / end time

we are looking to estimate concurrency of users based on iis logs. this is proving to be very tough because in the web log, there is no concept of logon/logoff, its just logging requests to to various resources on the webserver e.g. files, pictures, pages, etc. so one person's "session" could consist of 5000 log entries.

 

if we assumed a value for duration (would be nice to do in a slicer), do you have guidance on how i might estimate concurrency using the below data?

 

i have created various visuals to show this but i am concerned the values are over projected. as an FYI, i have about 2 million rows for 24 hours that look similar to this

 

TimedateUserClassificationCommon eventRule
4/14/2020 0:14johnAccess SuccessObject AccessedPROPFIND Method
4/14/2020 0:14johnAccess SuccessObject AccessedPROPFIND Method
4/14/2020 0:14johnAccess SuccessObject AccessedPROPFIND Method
4/14/2020 0:14SallyInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14SallyErrorHTTP 403 : Request Error - ForbiddenHTTP - 403 - Req Error - Forbidden
4/14/2020 0:14SallyErrorHTTP 403 : Request Error - ForbiddenHTTP - 403 - Req Error - Forbidden
4/14/2020 0:14SamErrorHTTP 401 : Request Error - UnauthorizedHTTP - 401 - Req Error - Unauthorized
4/14/2020 0:14SamInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14SamErrorHTTP 403 : Request Error - ForbiddenHTTP - 403 - Req Error - Forbidden
4/14/2020 0:14JohnErrorHTTP 401 : Request Error - UnauthorizedHTTP - 401 - Req Error - Unauthorized
4/14/2020 0:14johnInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14SamInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14JohnAccess SuccessObject AccessedPROPFIND Method
4/14/2020 0:14SallyInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14SallyAccess SuccessObject AccessedPROPFIND Method
4/14/2020 0:14johnInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14TimInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14JaneInformationHTTP 200 : Success Reply - OKHTTP - GET - 200 : Success Reply - OK
4/14/2020 0:14JohnAccess SuccessObject AccessedPROPFIND Method

 

 

Any help/guidance would be GREATLY appreciated 

1 ACCEPTED SOLUTION
Greg_Deckler
Super User
Super User

So, I would think that you would have to make a decision about what constitutes a "session". For example, if you see activity from John at (I'm not sure what 0:14 represents). Is that 0 hour 14 minutes or 12:14 AM? Let's say it is. So you have entries for John on 4/14/2020 at 12:14 AM and you have additiona requests let's say at 4/14/2020 at 12:18 AM and even more at 4/14/2020 at 12:24 AM and then even more on the same day at 8:09 PM, 8:10 PM, 8:15 PM and 8:22 PM. So, what does that represent? Is that 7 sessions? 2 sessions or 1 session or some mix in between? You need to decided on that first because if you say that is 1 session and you assume they were on from 12:14 AM until 8:22 PM then that is vastly different then if they were on from 12:14 AM until 12:24 AM and then again from 8:09 PM until 8:22 PM.


Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!:
The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...

View solution in original post

4 REPLIES 4
v-yingjl
Community Support
Community Support

Hi @That1Guy ,

Based on the table you have previously posted, I'm not certain what is the logic to determine the 'duration' since the timedate is only '4/14/2020 0:14' but the user like john has different classification, common event and rules in this table.

iss logs duration time.png

In addtion, since you have created various visuals to show this, could you please show some example pictures as a reference output? There is only a table under this post without any visuals as your said previously. Or the table is the sample visual but have other data pictures?

 

Best Regards,
Yingjie Li

If this post helps then please consider Accept it as the solution to help the other members find it more quickly.

 

Hi @v-yingjl ,

 

Thanks for your reply. Here are some of the visuals i'm creating right now and the issue of not having 'duration' to show a users's continual use

 image.png

image.png

 

image.png

Greg_Deckler
Super User
Super User

So, I would think that you would have to make a decision about what constitutes a "session". For example, if you see activity from John at (I'm not sure what 0:14 represents). Is that 0 hour 14 minutes or 12:14 AM? Let's say it is. So you have entries for John on 4/14/2020 at 12:14 AM and you have additiona requests let's say at 4/14/2020 at 12:18 AM and even more at 4/14/2020 at 12:24 AM and then even more on the same day at 8:09 PM, 8:10 PM, 8:15 PM and 8:22 PM. So, what does that represent? Is that 7 sessions? 2 sessions or 1 session or some mix in between? You need to decided on that first because if you say that is 1 session and you assume they were on from 12:14 AM until 8:22 PM then that is vastly different then if they were on from 12:14 AM until 12:24 AM and then again from 8:09 PM until 8:22 PM.


Follow on LinkedIn
@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!:
The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...

Hi @Greg_Deckler ,

 

 

You're 100% right - i think we need to determine what a sesssion really is - e.g. how long do folks typically use this thing? I have heard both 30 seconds as well as 3 hours can be considered valid so (it is a content management system). To your point on the timestamp, you nailed it - that 00:14 is indeed 12:14am thus your example resonates. I will model a few scenarios based with variable where seessions are 1 > x > 120 minutes and see how this plays out. I very much appreciate the guidance

 

Helpful resources

Announcements
RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

MayPowerBICarousel

Power BI Monthly Update - May 2024

Check out the May 2024 Power BI update to learn about new features.