I have a system for which I'd like to be able to report on how much time individual users spend logged in.

However, there are a few constraints:

• When a user opens a new session, it is logged as a Session_Start event. During this time, a user can either log off (ending their session completely [see Bob below]), or a user can disconnect (say by.. closing their laptop screen), which the application registers as a disconnect, but keeps the session until a 1 hour timeout period passes. At this point the session is terminated (see Carol).

• There could also be a scenario where a user gets disconnected but then is able to reconnect (for example, losing wifi while moving between rooms in the office), or closing their screen to go out for a quick lunch.

  _time UserID EventType
  10/14/15 08:00 AM bob Session_Start
  10/14/15 10:00 AM bob Session_End
  10/14/15 08:00 AM alice Session_Start
  10/14/15 08:30 AM alice Disconnect
  10/14/15 09:00 AM alice Reconnect
  10/14/15 10:00 AM alice Session_End
  10/14/15 08:00 AM carol Session_Start
  10/14/15 10:00 AM carol Disconnect
  10/14/15 11:00 AM carol Session_End
  Doing a nice and simple transaction is a starting point:

  | transaction UserID startswith=EventType=Session_Start endswith=EventType=Session_End
  From there I can easily do a timechart span=1d sum(duration) by UserID to get the type of report I want.

This works in Bob's case just fine. But for Alice and Carol, they've both been given extra time. Alice disconnected at 8:30, and then reconnected at 9. That gives her an extra 30 minutes on that sum(duration). The sum for Carol is off as well, since he simply closed his laptop screen (for example), and called it a day. The system ended his session an hour later after the timeout passed.

I'm struggling to find a good way to approach this. At this point, I'd be happy with just solving the issue demonstrated in Carol's case. Solving Alice's scenario would be a bonus.

Any thoughts?