I would try these 3 query statement to find the users for the bracketing
times (start and stop):
SELECT @starttime = max(time)
FROM logtable
WHERE IP='66.50.xxX.245'
AND Date='2004-07-05'
AND Time <='16:15:00'
AND RecordType = 'Start';
SELECT @endtime = min(time)
FROM logtable
WHERE IP='66.50.xxX.245'
AND Date='2004-07-05'
AND Time >= @starttime
AND RecordType = 'Stop';
SELECT *
FROM logtable
WHERE IP='66.50.xxX.245'
AND Date='2004-07-05'
AND Time in (@starttime, @stoptime)
That way, if the user's name matches for both records, you are sure you
have identified the correct user for a particular time
I know it appears to be a lot of steps but with a composite index on (ID,
Date, Time, RecordType) each of these queries should respond very quickly.
Yours,
Shawn Green
Database Administrator
Unimin Corporation - Spruce Pine
[EMAIL PROTECTED] wrote on 07/21/2004 07:49:35 AM:
> Ok, this may or may not be a tricky one I will try and be succinct in my
> statement.
>
> I have a database (mysql 4.0) with radius log entries for each day, we
> receive emails about Acceptable Use Abuses and must figure out exactly
> who was online with a certain IP address when the abuse occurred. As you
> will see below there are multiple starts and stops for any given IP
> address so here is the scenario:
>
> Problem: Spam Abuse
> IP of offender: 66.50.xxX.245
> Date of offense: 2004-07-05
> Time of offense: 16:15
>
> Now if I query the database based on date and ip address, I get the
> following:
> Id Date Time Record Type Full
> Name IP Address
> ====== ==== ============ ============ ============
> =========================
>
> 349 2004-07-05 11:21:08 Start [EMAIL PROTECTED]
> 66.50.xxX.245
> 345 2004-07-05 11:21:09 Start [EMAIL PROTECTED]
> 66.50.xxX.245
> 413 2004-07-05 11:22:32 Stop [EMAIL PROTECTED]
> 66.50.xxX.245
> 118984 2004-07-05 17:22:26 Start [EMAIL PROTECTED]
> 66.50.xxX.245
> 149049 2004-07-05 18:36:19 Stop [EMAIL PROTECTED]
> 66.50.xxX.245
> 90344 2004-07-05 16:09:40 Start [EMAIL PROTECTED]
> 66.50.xxX.245
> 90380 2004-07-05 16:09:40 Start [EMAIL PROTECTED]
> 66.50.xxX.245
> 97630 2004-07-05 16:28:20 Stop [EMAIL PROTECTED]
> 66.50.xxX.245
> 97671 2004-07-05 16:28:20 Stop [EMAIL PROTECTED]
> 66.50.xxX.245
> 97598 2004-07-05 16:28:20 Stop [EMAIL PROTECTED]
> 66.50.xxX.245
>
> now of course I changed the usernames and modified the IP for this
> mailing but that doesn't matter, now, the time field in the Database IS
> a time data type. What I need to be able to do is find the start before
> the offense time, and the stop after the offense time so I know that the
> person with the start and the stop is the one that committed the abuse.
>
> I haven't actually put code to bits yet, because I am not exactly sure
> how to go about creating this logic code. I don't think I can just say
> if on Date , if $timefield < time of offense and $timefield > time of
> offense; return some stuff.
>
> So any help on how to start with this would be greatly appreciated.
>
> Chris Hood
> Investigator Verizon Global Security Operations Center
> Email: <mailto:[EMAIL PROTECTED]>
> [EMAIL PROTECTED]
> Desk: 972.399.5900
>
>