Ultimately any solution is going to require 2 or 3 steps, and some manual observation, but you could find the information if you need it.
To start we should clarify a few details. First, by "at the same time" I will assume that you mean they are using two computers within a certain time delta. Secondly, I will assume that these computers different proxies (MWG) and/or they each have distinguished IP addresses from the Web Gateway's point of view (meaning they are not NAT'd through a router to the same IP before the request reaches the MWG).
So assuming those two points are true, then this is how you could do it. For the "time delta", I recommend using summary data which already groups traffic into hourly buckets. Create a query with client IP, username, date, and hour. Set the client IP to sort descending, and count distinct.
Then when you run your report, users with the most distinct client IP addresses for the same hour will be at the top. Since you also get the date and time, you can make a second detailed report using the appropriate date range and username to get the IP addresses and any other information.
This is a test I did on a manually created test case.
Thanks! I can now atleast have a fair idea of possible users logged onto multiple machines.
i understand, we cannot have accruate report since the time is in terms of hour. Is there any enhancement coming up in future release which can provide option to select mins feild for advanced reports? That would help to have almost accurate report.
For detailed data, you can go down to the second. Only Summary data is limited by the hour.
I suppose the same report would work on detailed data, but including the exact time on the report would stop records from being combined. The idea of my strategy is to do your investigaion in two steps. The above was step 1, which shows which users had multiple IP addresses in the same hour. It also shows the hour and date. Then you use this information to make a second report to show any details you want.
I was trying to use detailed report option to prepare the report but count distinct button for User IP attribute is disabled. I selected user name, user IP and DateTime attributes.
Message was edited by: satbir on 4/23/13 7:09:43 AM CDT
Message was edited by: satbir on 4/23/13 7:12:39 AM CDT
depending on which columns you add to the query and the query type, not all options are available because they are not compatible. What is your goal for the detailed report? Give me an example of what you want it to look like and maybe I can help.
Goal is to find out user-ids logged into multipe machines. I want to achieve it using query on detailed data. summary is based on assumptions of 1 hr bucket. My idea is to find out exact information on it so I can confidently go to such users.
Web Reporter uses the access logs for reports, so you have to think about what information is in the logs. There is no concept of "logged into two machines at the same time", but we can imagine that if a user was logged into two machines, and generating web traffic from both, then "at the same time" could mean getting a request from distinct client ip addresses that share the same user name within some time delta. So we only need to set the time delta. I used the date+hour.
If you are trying to use detail data with the date/time for the time delta, then you have reduced the time difference to 1 second. This isn't going to produce favorable results. The hour bucket is probably as good as it gets.