Find Sessions Command Line Usage Examples

You can view usage information for the command line interface using the /help option. That information is included here as well.

Usage:

FindSessions.exe [Connection] [Query] [Action] [Parameter]

Connection:
/i=<installation name> or /installation=<installation name>
Make a connection to the specified DirectAudit Installation.

Query:
Query can be defined by AQL or individual search criteria

/a=<aql statement> or /aql=<aql statement>
Use the specified AQL as a search criteria to find the audited sessions from DirectAudit databases.
This option should not be used together with /user, /machine or /activetime.

/u=<user name> or /user=<user name>
Find all audited sessions for a particular user from DirectAudit databases.
This option can be used together with /machine and /activetime, which means the returned sessions need to fulfill all specified criteria.
This option should not be used with /aql option.

/m=<machine name> or /machine=<machine name>
Find all audited sessions for a particular machine from DirectAudit databases.

This option can be used together with /user and /activetime, which means the returned sessions need to fulfill all specified criteria. This option should not be used with /aql option/t=<time> or /activetime=<time>.

/t=<time> or /activetime=<time>
Find all active audited sessions at a particular time from DirectAudit databases. This option can be used together with /user and /machine, which means the returned sessions need
to fulfill all specified criteria. This option should not be used with the /aql option.

/r="role1;role2" or /role="role1;role2"
Find all sessions with role role1 OR role2. Must be used with /export="UnixCommand|UnixInput|UnixInputOutput". If /role and /ticket are used together, sessions meeting role AND ticket criteria are searched.

/k="ticket1;ticket2" or /ticket="ticket1"
Find all sessions with trouble ticket ticket1 OR ticket2. Must be used with /export="UnixCommand|UnixInput|UnixInputOutput". If /role and /ticket are used together, sessions meeting role AND ticket criteria are searched.

Action:
/delete
Delete the sessions by the query.

/export=[SessionList|WashEvents|UnixCommand|UnixInput|UnixInputOutput]
Export the sessions by the query. This option should used with /path option.

Parameter:
/path
Folder to save the export files. This option should used with /export option

/format=[html|htm|csv|pdf|xml]
Export the session list. this option should used with /export=SessionInfo /path=<folder path>

/suppresswarning
Suppress warning messages.

/onerror=[continue]
Continue processing session list if one or more databases are unreachable.

Examples:

FindSessions /installation="installation sample" /aql="1 time is in this week"

FindSessions /installation="installation sample" /aql="1 inputcommand = \"dzdo*\"\"" /delete

FindSessions /installation="installation sample" /aql="1 text = \"dzdo\"\"" /suppresswarning
/export="UnixInput" /path="folder path"

FindSessions /installation="installation sample" /user="user sample" /machine="machine sample"
/activetime="2011-12-24 15:30:45"

FindSessions /installation="installation sample" /aql="1 module = \"Windows PowerShell\"\""
/export="SessionList" /format="html" /path="folder path"

FindSessions /installation="installation sample" /aql="1 time is in this month"

/export="UnixInputOutput" /path="folder path" /role="role1;role2" /ticket="ticket1;ticket2"

If the last field that you're search for includes double quotes, you need to escape the quotes. For example, findsessions -i=”MyInstallation” /aql=”1 time is in this week” doesn't have this issue but FindSessions /i="MyInstallation" /a="1 sessionid = \"a4006f206465-4db1-a2e7-a4e1f646c835\"\" does.