Page 1
LogParserLogparserisapowerful,versatiletoolthatprovidesuniversalqueryaccesstotext-baseddatasuchaslogfiles,XMLfilesandCSVfiles,aswellaskeydatasourcesontheWindows®operatingsystemsuchastheEventLog,theRegistry,thefilesystem,andActiveDirectory®.YoutellLogParserwhatinformationyouneedandhowyouwantitprocessed.Theresultsofyourquerycanbecustom-formattedintextbasedoutput,ortheycanbepersistedtomorespecialtytargetslikeSQL,SYSLOG,orachart.TheworldisyourdatabasewithLogParser.
Mostsoftwareisdesignedtoaccomplishalimitednumberofspecifictasks.LogParserisdifferent...thenumberofwaysitcanbeusedislimitedonlybytheneedsandimaginationoftheuser.Ifyoufindacreativewaytouseit,letusknowatwww.logparser.com!
Herearesomesamplestowhetyourappetite...
Page 2
SearchforDataSearchforthelogonsofaspecificuseramongtheeventsintheWindowsEventLog:
C:\>LogParser"SELECTTimeGenerated,SourceName,EventCategoryName,MessageINTOreport.txtFROMSecurityWHEREEventID=528ANDSIDLIKE'%TESTUSER%'"-resolveSIDs:ONAndobtainresultsinatextfileformattedasdesired:
Page 3
CreateReportsCreatecustom-formattedHTMLreports:
Page 4
CalculateStatisticsCalculatethedistributionoftheHTTPresponsestatuscodesfromyourIISlogfiles:
C:\>LogParser"SELECTsc-status,COUNT(*)ASTimesINTOChart.gifFROM<1>GROUPBYsc-statusORDERBYTimesDESC"-chartType:PieExploded3D-chartTitle:"StatusCodes"Andproduceachartformattedasdesired:
Page 5
SystemRequirementsLogParseriscompatiblewiththeWindows®2000,Windows®XPProfessional,andWindowsServerTM2003operatingsystems.
©2004MicrosoftCorporation.Allrightsreserved.
Page 6
What'sNewinLogParser2.2
Page 7
NewInputandOutputFormats:
XMLInputFormatReadsXMLfiles(requirestheMicrosoft®XMLParser(MSXML))
TSVInputFormatReadstab-andspace-separatedvaluestextfiles
ADSInputFormatReadsinformationfromActiveDirectoryobjects
COMInputFormatMakesitpossibletopluginuser-implementedcustomInputFormats
REGInputFormatReadsinformationfromtheWindowsRegistry
NETMONInputFormatMakesitpossibletoparseNetMon.capcapturefiles
ETWInputFormatReadsEventTracingforWindowslogfilesandlivesessions
CHARTOutputFormatCreateschartimagefiles(requiresMicrosoftOffice2000orlater)
TSVOutputFormatWritestab-andspace-separatedvaluestextfiles
SYSLOGOutputFormatSendsinformationtoaSYSLOGserverortoaSYSLOG-formattedtextfile
Page 8
ImprovementstotheSQLEngine:
ExponentialperformanceimprovementinSELECTDISTINCTandGROUPBYqueries
"WITHROLLUP"functionalityintheGROUPBYclause
"DISTINCT"inaggregatefunctions(whennoGROUPBYclauseisspecified)
"PROPSUM(...)[ON<fields>]"and"PROPCOUNT(...)[ON<fields>]"aggregatefunctions
(thesefunctionscalculatetheratiobetweentheSUMorCOUNTfunctionsonafieldandtheSUMorCOUNTfunctionsonthesamefieldinahierarchicallyhighergroup)
Newfunctions:MODBIT_AND,BIT_OR,BIT_NOT,BIT_XOR,BIT_SHL,BIT_SHREXP10,LOG10ROUND,FLOORQNTROUND_TO_DIGIT,QNTFLOOR_TO_DIGITSTRREPEATIN_ROW_NUMBER,OUT_ROW_NUMBERROT13EXTRACT_FILENAME,EXTRACT_EXTENSION,EXTRACT_PATHHEX_TO_ASC,HEX_TO_PRINT,HEX_TO_INTHEX_TO_HEX8,HEX_TO_HEX16,HEX_TO_HEX32IPV4_TO_INT,INT_TO_IPV4HASHSEQ,HASHMD5_FILEEXTRACT_PREFIX,EXTRACT_SUFFIX
Page 9
STRCNT
Introduceda"USING"clausefordeclaringtemporaryfield-expressions
"BETWEEN"operatorintheWHEREandHAVINGclauses
"CASE"(simple-form)statementintheSELECTclause("SELECTCASEmyFieldWHEN'value1'THEN'0'WHEN'value2'THEN'1'ELSE'-1'END")
Newdateandtimeformats:l(milliseconds-lowercase'L')n(nanoseconds)tt(AM/PM)?(anycharacter)
FieldsandAliasesarenowcase-insensitive
Page 10
ImprovementstoexistingInputandOutputFormats:
AddedmanynewparameterstomostoftheInputandOutputFormats
TheNCSAinputformatnowparsesalsocombinedandextendedNCSAlogfiles
Added"EventCategoryName"and"Data"fieldstotheEVTinputformat
The"-recurse"optionsofmostinputformatsnowspecifyamaximumsubdirectoryrecursionlevel
TheCSVInputandOutputFormatsnowsupportCSVfileswithdouble-quotedstrings
Added"FileVersion","ProductVersion","CompanyName",etc.fieldstotheFSinputformat
Allowed'*'and'?'wildcardsinthesitenamespecificationsforalltheIISinputformats
("SELECT*FROM<mysite*.com>")
AllowedURL'sastheinputpathofalltext-basedinputformats("SELECT*FROMhttp://www.adatum.com/table.csv")
AlloweduseofenvironmentvariablenamesintheTPLoutputformatsections,andaddedaSYSTEM_TIMESTAMPvariable
PerformanceimprovementintheEVTinputformatwhenreadingfromlocalandremoteeventlogs
AllthepropertynamesoftheinputandoutputformatCOMobjectsnowmatchthecommand-linenames
Page 11
Generalimprovements:
Addedthepossibilitytospecifyparametersin.sqlfiles("logparser-file:myquery.sql?param1=value1+param2=value2")
InputI/Operformanceimprovementfortextfiles
Addedthepossibilitytopermanentlyoverridethedefaultvaluesofglobaloptions,inputformatoptions,andoutputformatoptions
("logparser-e:10-o:NAT-rtp:-1-savedefaults")
©2004MicrosoftCorporation.Allrightsreserved.
Page 12
ConceptualOverviewThissectionprovidesinformationontheoperationalmechanismsofLogParser.
LogParserArchitecture:DescribestheinternalarchitectureofLogParser.Records:DescribesthedatathatLogParserprocesseswhenworkingwithInputandOutputFormats.CommandsandQueries:DescribeshowLogParsercommandsarestructured,andhowyouspecifyqueriesinacommand.Errors,ParseErrors,andWarnings:DescribestheruntimeerrorsthatcanbegeneratedbyLogParserwhenexecutingacommand.
©2004MicrosoftCorporation.Allrightsreserved.
Page 13
LogParserArchitectureLogParserismadeupofthreecomponents:
InputFormatsaregenericrecordproviders;recordsareequivalenttorowsinaSQLtable,andInputFormatscanbethoughtofasSQLtablescontainingthedatayouwanttoprocess.LogParser'sbuilt-inInputFormatscanretrievedatafromthefollowingsources:
IISlogfiles(W3C,IIS,NCSA,CentralizedBinaryLogs,HTTPErrorlogs,URLScanlogs,ODBClogs)WindowsEventLogGenericXML,CSV,TSVandW3C-formattedtextfiles(e.g.ExchangeTrackinglogfiles,PersonalFirewalllogfiles,WindowsMedia®Serviceslogfiles,FTPlogfiles,SMTPlogfiles,etc.)WindowsRegistryActiveDirectoryObjectsFileandDirectoryinformationNetMon.capcapturefilesExtended/CombinedNCSAlogfilesETWtracesCustomplugins(throughapublicCOMinterface)
ASQL-LikeEngineCoreprocessestherecordsgeneratedbyanInputFormat,usingadialectoftheSQLlanguagethatincludescommonSQLclauses(SELECT,WHERE,GROUPBY,HAVING,ORDERBY),aggregatefunctions(SUM,COUNT,AVG,MAX,MIN),andarichsetoffunctions(e.g.SUBSTR,CASE,COALESCE,REVERSEDNS,etc.);theresultingrecordsarethensenttoanOutputFormat.
OutputFormatsaregenericconsumersofrecords;theycanbethoughtofasSQLtablesthatreceivetheresultsofthedataprocessing.LogParser'sbuilt-inOutputFormatscan:
Writedatatotextfilesindifferentformats(CSV,TSV,XML,W3C,
Page 14
user-defined,etc.)SenddatatoaSQLdatabaseSenddatatoaSYSLOGserverCreatechartsandsavethemineitherGIForJPGimagefilesDisplaydatatotheconsoleortothescreen
Note:Transmittingdatathroughanon-securenetworkmightposeaserioussecurityrisktotheconfidentialityoftheinformationtransmitted.Formoreinformationonthesecurityrisksassociatedwithnon-securenetworks,seeSecurityConsiderations.
TheLogParsertoolisavailableasacommand-lineexecutable(LogParser.exe)andasasetofscriptableCOMobjects(LogParser.dll).Thetwobinariesareindependentfromeachother;ifyouwanttouseonlyone,youdonotneedtoinstalltheotherfileonyourcomputer.
©2004MicrosoftCorporation.Allrightsreserved.
Page 15
RecordsLogParserqueriesoperateonrecordsfromanInputFormat.RecordsareequivalenttorowsinaSQLtable,andInputFormatsareequivalenttoSQLtablescontainingtherows(data)youwanttoprocess.
Page 16
FieldsandDataTypesEachrecordgeneratedbyanInputFormatismadeupofafixednumberoffields(thecolumnsinaSQLtable),andeachfieldisassignedaspecificnameandaspecificdatatype;thedatatypessupportedbyLogParserare:IntegerRealStringTimestamp
Fieldsinarecordcanonlycontainvaluesofthedatatypeassignedtothefieldor,whenthedataforthatfieldisnotavailable,theNULLvalue.
Forexample,let'sconsidertheEVTInputFormat,whichproducesarecordforeacheventintheWindowsEventLog.Usingthecommand-lineexecutable,wecandiscoverthestructureoftherecordsprovidedbythisInputFormatbytypingthefollowinghelpcommand:
C:\>LogParser-h-i:ETW
TheoutputofthiscommandgivesadetailedoverviewoftheEVTInputFormat,includinga"Fields"sectiondescribingthestructureoftherecordsproduced:
Fields:EventLog(S)RecordNumber(I)TimeGenerated(T)TimeWritten(T)EventID(I)EventType(I)EventTypeName(S)EventCategory(I)EventCategoryName(S)SourceName(S)Strings(S)ComputerName(S)SID(S)Message(S)Data(S)
Fromtheoutputabove,weunderstandthateachrecordismadeupof15fields,andthat,forinstance,thefourthfieldofeachrecordisnamed"TimeWritten"andalwayscontainsvaluesoftheTIMESTAMPdatatype.
Page 17
RecordStructureSomeInputFormatshaveafixedstructurefortheirrecords(liketheEVTInputFormatusedintheexampleabove,ortheFSInputFormat),butotherscanhavedifferentstructuresdependingonthevaluesspecifiedfortheirparametersoronthefilesbeingparsed.
Forinstance,theNETMONInputFormat,whichparsesNetMoncapturefiles,hasaparameter("fMode")thatcanbeusedtospecifyhowtherecordsshouldbestructured.WecanseethedifferentstructureswhenweaddthisparametertothehelpcommandfortheNETMONformat.ThefirstexampleshowsthefieldsexportedbytheNETMONInputFormatwhenits"fieldmode"issetto"TCPIP"(eachrecordisasingleTCP/IPpacket),andthesecondexampleshowsthefieldsexportedbytheNETMONInputFormatwhenits"fieldmode"issetto"TCPConn"(eachrecordisafullTCPconnection):
C:\>LogParser-h-i:NETMON-fMode:TCPIP
Fields:CaptureFilename(S)Frame(I)DateTime(T)FrameBytes(I)SrcMAC(S)SrcIP(S)SrcPort(I)DstMAC(S)DstIP(S)DstPort(I)IPVersion(I)TTL(I)TCPFlags(S)Seq(I)Ack(I)WindowSize(I)PayloadBytes(I)Payload(S)Connection(I)
C:\>LogParser-h-i:NETMON-fMode:TCPConn
Fields:CaptureFilename(S)StartFrame(I)EndFrame(I)Frames(I)DateTime(T)TimeTaken(I)SrcMAC(S)SrcIP(S)SrcPort(I)SrcPayloadBytes(I)SrcPayload(S)DstMAC(S)DstIP(S)DstPort(I)DstPayloadBytes(I)DstPayload(S)
Asanotherexample,theCSVInputFormat,whichparsestextfilescontainingcomma-separatedvalues,createsitsownstructurebyinspectingtheinputfileforfieldnamesandtypes.WhenusingthehelpcommandwiththeCSVInputFormat,the"Fields"sectionshowsnoinformationontherecordstructure:
C:\>LogParser-h-i:CSV
Fields:Fieldnamesandtypesareretrievedatruntimefromthespecifiedinputfile(s)However,whenwesupplythenameofaCSVfilethat,forinstance,contains2fields("LogDate"and"Message"),thenwecanseethestructureoftherecordsproducedwhenparsingthatfile:
C:\>LogParser-h-i:CSVlog.csv
Fields:
Page 18
Filename(S)RowNumber(I)LogDate(T)Message(S)©2004MicrosoftCorporation.Allrightsreserved.
Page 19
CommandsandQueriesWhenusingthecommand-lineexecutable,LogParserworksoncommandssuppliedbytheuser.Eachcommandhasfivedistinctcomponents:
TheInputFormattouse;OptionalparametersfortheInputFormat;TheOutputFormattouse;OptionalparametersfortheOutputFormat;TheSQLquerythatprocessestherecordsgeneratedbytheInputFormatandproducesrecordsfortheOutputFormat.
Forexample,let'sconsiderthefollowingsimplecommand:
C:\>LogParser-i:EVT-fullText:OFF-o:CSV-tabs:OFF"SELECT*INTOoutput.csvFROMSYSTEM"Thecommandaboveisstructuredasfollows:TheEVTInputFormatisselectedusingthe-i:<InputFormatname>parameter;Its"fullText"parameterissettothe"OFF"value;TheCSVOutputFormatisselectedusingthe-o:<OutputFormatname>parameter;Its"tabs"parameterissettothe"OFF"value;TheSQLqueryis"SELECT*INTOoutput.csvFROMSYSTEM",whichspecifiesthatallrecordsgeneratedfromtheSystemEventLogshouldbesentdirectlytotheOutputFormatwithnofurtherprocessing.
Insomecases,itmightnotbenecessarytospecifytheInputFormat.Intheexamplecommandabove,thevalueoftheFROMclauseis"SYSTEM",whichisthenameofastandardWindowsEventLog;thisnameisautomaticallyrecognizedbyLogParserasacandidatefortheEVTInputFormat,sowecanavoidspecifyingtheInputFormatnamealtogether:
Page 20
C:\>LogParser-fullText:OFF-o:CSV-tabs:OFF"SELECT*INTOoutput.csvFROMSYSTEM"AsexamplesofothervaluesofFROMclausesthatcanberecognizedbyLogParser,theIISW3CInputFormatisselectedautomaticallywhenthefilenameintheFROMclausestartswith"ex"andhasthe".log"extension,andtheXMLInputFormatisselectedautomaticallywhenthefilenamehasthe".xml"extension.
ThesameappliestoOutputFormats:intheexamplecommandabove,thefilenameintheINTOclausehasthe"csv"extension,thusselectingautomaticallytheCSVOutputFormat;thesamecommandcanthereforebetypedas:
C:\>LogParser-fullText:OFF-tabs:OFF"SELECT*INTOoutput.csvFROMSYSTEM"WhenanOutputFormatisnotspecified,andtheSQLquerydoesnotcontainanINTOclauseLogParserautomaticallyselectstheNATOutputFormat,whichprintstheresultsofthequerytotheconsolewindow.
TheseexamplesshowtheminimalLogParsercommandismadeupoftheSQLqueryalone.InmostcasestheInputandOutputformatscanbedeductedautomaticallyfromtheINTOandFROMclausesofthequery;however,itisarecommendedgoodpracticetoalwaysexplicitlyspecifytheInputandOutputformatsusingthe-iand-oparameters.
©2004MicrosoftCorporation.Allrightsreserved.
Page 21
Errors,ParseErrors,andWarningsDuringtheexecutionofacommand,LogParsercanencounterthreedifferenttypesofruntimeerrors:Errors,ParseErrors,andWarnings.
Page 22
ErrorsErrorsareexceptionaleventsoccurringduringtheexecutionofacommandthatcausethecommandtoabort.
EventhoughErrorscanoccurduetoalargenumberofreasons,themostcommoncausescanbecategorizedasfollows:
Invalidquerysyntax:thequeryspecifiedinthecommandisinvalid.InputFormaterrors:thespecifiedInputFormathasencounteredanerrorthatpreventsitfromgeneratinginputrecords.Thiscouldhappen,forexample,whentheFROMclausespecifiesanentity(e.g.afile)thatdoesnotexist.OutputFormaterrors:thespecifiedOutputFormathasencounteredanerrorthatpreventsitfromconsumingoutputrecords.Thiscouldhappen,forexample,whentheINTOclausespecifiesanentity(e.g.afile)thatcannotbewrittento.ToomanyParseErrors:thespecifiedInputFormathasencounteredtoomanyParseErrors,asspecifiedbythe"-e"command-lineglobalparameter.Catastrophicerrors:forexample,LogParserranoutofmemory.
Whenanerroroccurs,theLogParsercommand-lineexecutableabortsthequeryexecutionandreturnstheerrormessageandtheerrorcode.WhenanerroroccurswhileusingtheLogParserscriptableCOMcomponents,aCOMexceptionisthrowncontainingtheerrormessageandtheerrorcode.Inmostcases,theerrorcodereturnedistheinternalsystemerrorcodethatcausedtheerror.
Page 23
ParseErrorsParseErrorsareerrorsthatoccurwhiletheselectedInputFormatgeneratesthedataonwhichthequeryoperates.Mostofthetimes,asthenamesuggests,theseerrorsaregeneratedwhenaloghasmalformedentries(forexample,whenusingtheIISW3CInputFormat),orwhenasystemerrorpreventsanInputFormatfromprocessingaspecificentryinthedata(forexample,an"accessdenied"erroronafilewhenusingtheFSInputFormat).Inanyevent,thepresenceofaParseErrorindicatesthattheInputFormathadtoskipthedataentrythatcausedtheerror;forexample,whenaParseErrorisencounteredbytheIISW3CInputFormatwhileparsingamalformedlineinthelog,thatlinewillbeskippedanditwillnotbeprocessedbytheSQLengine.
ParseErrorsdonotgenerallycauseearlyterminationofthecurrentlyexecutingcommand,butrather,theyarecollectedinternallybytheSQLengineandreportedwhenthecommandexecutioniscomplete.Thisbehaviorcanbecontrolledwiththe-ecommand-lineglobalparameter.ThevalueusedwiththisparameterspecifiesamaximumnumberofParseErrorstocollectinternallybeforeabortingtheexecutionofthecommand.Forexample,ifweexecuteaqueryonanIISW3Clogfilespecifying"-e:10",LogParserwillcollectupto10ParseErrorsduringtheexecutionofthecommand.IftheIISW3CInputFormatencounters10orlessParseErrors,thecommandwillcompletesuccesfully,andthecollectedParseErrorswillbereportedindetailattheendoftheexecution.Ontheotherhand,iftheinputlogfilecontainsmorethan10malformedloglines,the11thParseErrorwillcausethecommandtoabortandreturnanError.
Thedefaultvalueforthiscommand-lineparameteris-1,whichisaspecialvaluecausingtheSQLenginetoignoreallParseErrorsandreportonlythetotalnumberofParseErrorsencounteredduringtheexecutionofacommand.
Asanexample,considerthefollowingcommand,whichparsesan
Page 24
IISW3ClogfileandwritesalltheinputrecordstoaCSVfile:
C:\>LogParser-i:IISW3C-o:CSV"SELECT*INTOOutput.csvFROMex020528.log"Let'sassumethatthe"ex020528.log"logfilecontains3malformedloglines.Afterexecutingthecommandabove,theoutputwillbeasfollows:
Taskcompletedwithparseerrors.Parseerrors:3parseerrorsoccurredduringprocessing
Statistics:-----------Elementsprocessed:997Elementsoutput:997Executiontime:0.03seconds
Thisoutputtellsusthatthecommandexecutedsuccesfully,but3ParseErrorshavebeenencounteredwhileprocessingtheinputdata.Sincethedefaultvalueforthe"-e"command-lineparameteris-1,theSQLenginehasignoredalltheseParseErrors,keepingjusttheirtotalcount.
IfwewantedtheseParseErrorstobereportedindetail,wecouldspecifyavalueforthe"-e"parameterdifferentthan-1:
C:\>LogParser-i:IISW3C-o:CSV"SELECT*INTOOutput.csvFROMex020528.log"-e:10Inthiscase,theoutputwouldbe:
Taskcompletedwithparseerrors.Parseerrors:Errorwhileparsingfieldsc-status:ErrorparsingStatusCode"2b00":Extracharacter(s)foundinintegerLogFile"C:\Logs\ex020528.log",Rownumber23,Value"2b00"Cannotfindend-of-line-extracharactersdetectedattheendoflogentryLogFile"C:\Logs\ex020528.log",Rownumber118LogrowterminatesunexpectedlyLogFile"C:\Logs\ex020528.log",Rownumber188
Statistics:-----------Elementsprocessed:997Elementsoutput:997Executiontime:0.03seconds
Thecommandstillexecutedsuccesfully,andthistimethe3ParseErrorshavebeencollectedandreportedattheendoftheexecution.
Ifwehadspecified"2"forthe"-e"parameter,theSQLenginewouldhaveabortedtheexecutionofthecommand,andanErrorwouldbereturned:
Taskaborted.Toomanyparseerrors-abortingParseerrors:Errorwhileparsingfieldsc-status:ErrorparsingStatusCode"2b00":Extracharacter(s)foundinintegerLogFile"C:\Logs\ex020528.log",Rownumber23,Value"2b00"Cannotfindend-of-line-extracharactersdetectedattheendoflogentry
Page 25
LogFile"C:\Logs\ex020528.log",Rownumber118LogrowterminatesunexpectedlyLogFile"C:\Logs\ex020528.log",Rownumber188
Statistics:-----------Elementsprocessed:182Elementsoutput:181Executiontime:0.01seconds
Page 26
WarningsWarningsareexceptionaleventsoccurringduringtheexecutionofacommandthatrequireattentionfromtheuser.Thereareonlyafewsituationsthatcouldcauseawarning,andthesearehandleddifferentlydependingonwhetherornotthewarningarisesduringtheexecutionofacommand,orwhentheexecutionhascompleted.
Whenawarningisgeneratedduringtheexecutionofacommand,thecommand-lineexecutableshowsaninteractiveprompttotheuseraskingwhetherornottheexecutionshouldcontinue.
Asanexample,consideracommandthatwritesoutputrecordstoaCSVfile.TheCSVOutputFormat"fileMode"parametercanbeusedtospecifywhatactionshouldbetakenincasetheoutputfilealreadyexists.Thevalue"2"specifiesthatalreadyexistingoutputfilesshouldnotbeoverwritten;whenusingthisoption,theCSVOutputFormatwillraiseaWarningwhenanalreadyexistingoutputfilewillnotbeoverwritten:
C:\>LogParser-i:EVT-o:CSV"SELECTTOP5MessageINTOOutput.csvFROMSystem"-fileMode:2WARNING:FileC:\LogSamples\Output.csvexistsanditwillnotbeoverwritten.Doyouwanttocontinue?[Yes/No/Ignoreall]:Whenthispromptappears,theusercanchoosebetweencontinuingtheexecutionofthecommandallowingadditionalwarningstotriggerthepromptagain,abortingtheexecutionofthecommand(inwhichcasethecommandterminateswithanError),orcontinuingtheexecutionofthecommandignoringadditionalwarnings.
Theinteractivepromptcanbecontrolledwiththeglobal-iwcommand-lineparameter.ThisON/OFFparameterspecifieswhetherornot
Page 27
warningsshouldbeignored;thedefaultvalueis"OFF",meaningthatruntimewarningswillnotbeignoredandwilltriggertheinteractiveprompt.Specifying"ON",ontheotherhand,disablestheinteractiveprompt,andruntimewarningswillbeignoredandtheirtotalcountwillbereportedwhenthecommandexecutionhascompleted:
C:\>LogParser-i:EVT-o:CSV"SELECTTOP5MessageINTOOutput.csvFROMSystem"-fileMode:2-iw:ONTaskcompletedwithwarnings.Warnings:1warningoccurredduringprocessing
Statistics:-----------Elementsprocessed:5Elementsoutput:5Executiontime:0.03seconds
Tip:IfyouusetheLogParsercommand-lineexecutableinanon-interactivescript(e.g.inascriptthathasbeenscheduledtorunautomaticallyatspecifictimes),youshouldalwaysuse"ON"forthe"iw"parameter,otherwiseintheeventofaruntimewarningtheLogParsercommandwillstallwaitingforausertopressakeyintheinteractiveprompt.
Warningsthataregeneratedwhenacommandhascompletedaresimplyreportedtotheuser.
Forexample,the"ignoreDspchErrs"parameteroftheSYSLOGOutputFormatcanbeusedtospecifywhetherornoterrorsoccurringwhiledispatchingoutputrecordsshouldbeignoredandreportedaswarningsattheendoftheexecution.ThefollowingexamplecommandusestheSYSLOGOutputFormattosendoutputrecordstoanon-existinguser:
C:\>LogParser-i:EVT-o:SYSLOG"SELECTTOP5MessageINTONonExistingUserFROMSystem"-ignoreDspchErrs:ONSincethespecifieduserdoesnotexist,theSYSLOGOutputFormatwillencounteranerrorforeachoutputrecorditwilltrytosendtotheuser;the"ON"valueforthe"ignoreDspchErrs"tellstheoutputformattoignoretheseerrorsandreportallofthemwhentheexecutionhascompleted:
Taskcompletedwithwarnings.Warnings:Thefollowingdispatcherrorsoccurred:Themessagealiascouldnotbefoundonthenetwork.(5times)©2004MicrosoftCorporation.Allrightsreserved.
Page 28
Statistics:-----------Elementsprocessed:5Elementsoutput:5Executiontime:0.02seconds
Page 29
WritingaQueryWithLogParseryouuseQuerieswritteninadialectoftheSQLlanguagetospecifytheoperationsthattransforminputrecordsgeneratedbyanInputFormatintooutputrecordsthataredeliveredtoanOutputFormat.
InthissectionwewillcovertheeightbasicbuildingblocksoftheSQL-LikequeriesthatyoucanusewithLogParsertoperformdifferentprocessingtasks.
©2004MicrosoftCorporation.Allrightsreserved.
Page 30
BasicsofaQueryThemostsimplequerythatcanbewrittenwithLogParserspecifiesthatalltheInputRecordsgeneratedbyanInputFormataretobedeliveredtoanOutputFormatwithnointerveningprocessing.
Forexample,let'sassumethatwewanttovisualizeallthefieldsofalltheeventsintheSystemEventLog.Toperformthistask,wefirsthavetospecifytheEVTInputFormatasthesourceofourinputrecords,andwedosobyusingthe"-i:EVT"command-lineparameter.Then,wecanchoosetheNATOutputFormatastheconsumerofouroutputrecords,sincethisOutputFormatisspecificallydesignedtoprintoutputrecordstotheconsolewindow;wedosobyusingthe"-o:NAT"command-lineparameter.Finally,wespecifytheSQLquerythatperformsthedesiredtask;thecompletecommandisasfollows:
C:\>LogParser-i:EVT-o:NAT"SELECT*FROMSystem"
Thequeryabovecontainsthetwobasicbuildingblocksofeachpossiblequery:theSELECTclause,andtheFROMclause.
TheSELECTclauseisusedtospecifywhichinputrecordfieldswewanttoappearintheoutputrecords;inthisexample,thespecial"*"wildcardmeans"allthefields".
TheFROMclauseisusedtospecifywhichspecificdatasourcewewanttheInputFormattoprocess.DifferentInputFormatsinterpretthevalueoftheFROMclauseindifferentways;forinstance,theEVTInputFormatrequiresthevalueoftheFROMclausetobethenameofaWindowsEventLog,whichinourexampleisthe"System"EventLog.
Tobeprecise,theINTOclauseshouldappearineveryqueryaswell.TheINTOclauseisusedtospecifythetargetwewanttheOutputFormattowritedatato.Inourexample,wewanttheNATOutputFormattodisplayresultstotheconsolewindow.Thisisaccomplishedbyspecifying"STDOUT"forthevalueoftheINTOclause,asinthefollowingexample:
C:\>LogParser-i:EVT-o:NAT"SELECT*INTOSTDOUTFROMSystem"
Page 31
WhenaquerydoesnotspecifyanINTOclause,theNATOutputFormatautomaticallyselects"STDOUT"asitstarget,soinourexamplewecaneliminatetheINTOclausealtogether.
Tip:WhenyouusetheNATOutputFormattodisplayresultstotheconsolewindow,LogParserprints10linesbeforepausingtheprintoutandpromptingtheusertopressakeytodisplaythenext10lines.Tooverridethisbehavior,youcanusethe"-rtp"parameteroftheNATOutputFormattospecifythenumberoflinestobeprintedbeforepausing;ifyouwanttodisablethepausealtogetherandhaveLogParserdisplayalltherecordsinasingleprintout,usethe"-1"value.
Page 32
SelectingSpecificFieldsWhenyouexecutethebasicqueryabove,LogParserprintsallthefieldsofalltheeventsintheSystemEventLogtotheconsolewindow.Mostofthetimes,aprintoutofallofthe14fieldsoftheEventLogrecordsmightnotbedesired.Forexample,wemightonlywanttoseethetimeatwhicheacheventwasgenerated,thetypeoftheevent,andthenameofthesourceoftheevent.Toaccomplishthis,wehavetosubstitutethe"*"wildcardintheSELECTclausewithacomma-separatedlistofthenamesofthefieldswewishtobedisplayed.WecanseethenamesofthefieldsintheEVTInputFormatrecordsbytypingthefollowinghelpcommand:
C:\>LogParser-h-i:EVT
TheoutputofthiscommandgivesadetailedoverviewoftheEVTInputFormat,includinga"Fields"sectiondescribingthestructureoftherecordsproduced:
Fields:EventLog(S)RecordNumber(I)TimeGenerated(T)TimeWritten(T)EventID(I)EventType(I)EventTypeName(S)EventCategory(I)EventCategoryName(S)SourceName(S)Strings(S)ComputerName(S)SID(S)Message(S)Data(S)
Fromthefieldslisting,weunderstandthatthefieldsweareinterestedinarenamed"TimeGenerated","EventTypeName",and"SourceName";wecannowrewriteourcommandas:
C:\>LogParser-i:EVT-o:NAT"SELECTTimeGenerated,EventTypeName,SourceNameFROMSystem"
Tip:Fieldnamesarecase-insensitive.
Tip:Ifafieldnamecontainsspaces,youneedtoencloseitinsquarebrackets('['and']')forLogParsertobeabletorecognizeit.
Theoutputofthiscommandcontainsthreecolumns,oneforeachofthefieldswehaveselected:
TimeGeneratedEventTypeNameSourceName
Page 33
-----------------------------------------------------------2004-03-1418:56:55WarningeventW32Time2004-03-1414:02:23InformationeventDisk2004-03-1414:02:23InformationeventDisk2004-03-1412:00:00InformationeventEventLog2004-03-1400:41:47WarningeventW32Time2004-03-1322:17:00InformationeventServiceControlManager2004-03-1322:06:48InformationeventServiceControlManager2004-03-1322:06:48InformationeventServiceControlManager2004-03-1312:00:00InformationeventEventLog2004-03-1222:30:47InformationeventServiceControlManager
ThisexampleillustratesthemostsimpletransformationthatyoucanachievewiththeLogParserSQLlanguage:transforminganinputrecordmadeupofanumberoffieldsintoanoutputrecordmadeupofasubsetofthesefields;inSQLterms,thistransformationiscalledprojection.
Page 34
UsingFunctionsFunctionsareverypowerfulelementsoftheLogParserSQL-Likelanguagethattakevaluesasarguments,dosomeprocessing,andreturnanewvalue.TheLogParserSQL-Likelanguagesupportsawidevarietyoffunctions,includingarithmeticalfunctions(e.g.ADD,SUB,MUL,DIV,MOD,QUANTIZE,etc.),stringmanipulationfunctions(e.g.SUBSTR,STRCAT,STRLEN,EXTRACT_TOKEN,etc.),andtimestampmanipulationfunctions(e.g.TO_DATE,TO_TIME,TO_UTCTIME,etc.).
Consideringthepreviousexample,assumethatforthe"TimeGenerated"fieldweonlyneedtoretrievethedatewhenaneventhasbeengenerated,ignoringallofthetimeelements.Todothis,weneedtomodifythe"TimeGenerated"fieldwiththeTO_DATEfunction,whichtakesavalueoftypeTIMESTAMPandreturnsanewvalueoftypeTIMESTAMPcontainingonlytheyear,day,andmonthelements:
C:\>LogParser-i:EVT-o:NAT"SELECTTO_DATE(TimeGenerated),EventTypeName,SourceNameFROMSystem"Theoutputofthiscommandis:
TO_DATE(TimeGenerated)EventTypeNameSourceName--------------------------------------------------------------2004-03-14WarningeventW32Time2004-03-14InformationeventDisk2004-03-14InformationeventDisk2004-03-14InformationeventEventLog2004-03-14WarningeventW32Time2004-03-13InformationeventServiceControlManager2004-03-13InformationeventServiceControlManager2004-03-13InformationeventServiceControlManager2004-03-13InformationeventEventLog2004-03-12InformationeventServiceControlManager
Functionscanalsoappearasargumentsofotherfunctions.Forexample,insteadoftheeventtypenameshownintheoutputabove,wemightwantthefirstwordonly("Warning","Information",etc.),allincapitalletters.ThistaskcanbeaccomplishedbyfirstusingtheEXTRACT_TOKENfunction,whichextractsspecificsubstringsfromwithinastring,followedbytheTO_UPPERCASEfunction,whichtransformsastringintoastringwithalluppercasecharacters:
C:\>LogParser-i:EVT-o:NAT"SELECTTO_DATE(TimeGenerated),TO_UP
Page 35
PERCASE(EXTRACT_TOKEN(EventTypeName,0,'')),SourceNameFROMSystem"TO_DATE(TimeGenerated)TO_UPPERCASE(EXTRACT_TOKEN(EventTypeName,0,''))SourceName-----------------------------------------------------------------------------------------------2004-03-14WARNINGW32Time2004-03-14INFORMATIONDisk2004-03-14INFORMATIONDisk2004-03-14INFORMATIONEventLog2004-03-14WARNINGW32Time2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONEventLog2004-03-12INFORMATIONServiceControlManager
Page 36
SpecifyingConstantsSofarwehavewrittenSELECTclausesthatspecifybothfieldsandfunctions.Thereisathirdkindofitemthatwecoulduseinourqueries:constants.ConstantsarespecialelementsintheLogParserlanguagethatrepresentfixedvalues;justlikethefieldvalues,constantvaluescanbeoneoftheLogParsertypes:INTEGER,REAL,STRING,TIMESTAMP,andNULL.Constantscanbespecifiedinqueriesindifferentways,dependingontheirtype.
ConstantvaluesoftheINTEGERtypearespecifiedbysimplytypingtheirvalue;thefollowingquery:
SELECT242,SourceNameFROMSYSTEM
wouldproducethefollowingoutput:
242SourceName-------------242W32Time242Disk242Disk242EventLog242W32Time
ConstantvaluesoftheREALtypearespecifiedexactlyliketheINTEGERvalues,buttheyarerecognizedasbeingoftheREALtypebythepresenceofadecimalpoint:
SELECT242.7,SourceNameFROMSYSTEM
242.700000SourceName--------------------242.700000W32Time242.700000Disk242.700000Disk242.700000EventLog
STRINGconstantsmustbeenclosedwithinsingle-quotecharacters:
SELECT'MyConstant',SourceNameFROMSYSTEM
Page 37
242.700000W32Time'MyConstant'SourceName----------------------MyConstantW32TimeMyConstantDiskMyConstantDiskMyConstantEventLogMyConstantW32Time
SpecialcharactersinSTRINGconstantscanbespecifiedbyusingcharactersequencesprecededbythe'\'character.Forexample,asingle-quotecharactercanbespecifiedas\',whileabackslashcharactercanbespecifiedby\\:
SELECT'Contains\'aquote','Contains\\abackslash',SourceNameFROMSYSTEM'Contains'aquote''Contains\abackslash'SourceName-----------------------------------------------------Contains'aquoteContains\abackslashW32TimeContains'aquoteContains\abackslashDiskContains'aquoteContains\abackslashDiskContains'aquoteContains\abackslashEventLogContains'aquoteContains\abackslashW32Time
Inaddition,itisalsopossibletospecifyanyUNICODEcharacterusingthe\uxxxxnotation,wherexxxxisthe4-digithexadecimalrepresentationoftheUNICODEcharacter.Forexample,tospecifyatabcharacter(whoseUNICODEvalueis0009),wecouldtype:
SELECT'Contains\u0009atab',SourceNameFROMSYSTEM
ANULLconstantcanbespecifiedwiththe"NULL"keyword:
SELECTNULL,SourceNameFROMSYSTEM
TIMESTAMPconstantsarespecifiedinthefollowingway:
TIMESTAMP('timestampvalue','timestampformat')
Formoreinformationregardingtimestampvalues,constants,andformatspecifications,refertotheTimestampReference.
IntheLogParserSQLlanguage,thethreetermsthatcanbespecifiedinaSQLquery(fields,functions,andconstants)arecollectivelyreferredto
Page 38
asfield-expressions.
Page 39
AliasingField-ExpressionsConsideragainoneoftheexamplesseeninthissection:
C:\>LogParser-i:EVT-o:NAT"SELECTTO_DATE(TimeGenerated),TO_UPPERCASE(EXTRACT_TOKEN(EventTypeName,0,'')),SourceNameFROMSystem"TO_DATE(TimeGenerated)TO_UPPERCASE(EXTRACT_TOKEN(EventTypeName,0,''))SourceName-----------------------------------------------------------------------------------------------2004-03-14WARNINGW32Time2004-03-14INFORMATIONDisk2004-03-14INFORMATIONDisk2004-03-14INFORMATIONEventLog2004-03-14WARNINGW32Time2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONEventLog2004-03-12INFORMATIONServiceControlManager
Wecanseethatforeachfieldintheoutputrecord,theNATOutputFormatprintsacolumnheaderwiththenameofthatfield.Bydefault,outputrecordfieldsarenamedwiththefullfield-expressiontextthatgeneratesthem;inourexample,thenameofthefirstoutputrecordfieldis"TO_DATE(TimeGenerated)",whichmirrorsexactlythefield-expressiontextusedintheSELECTclause.
Wecanchangethenameofafield-expressionintheSELECTclausebyusinganAlias.Inordertoaliasafield-expressionintheSELECTclause,wecanusetheASkeywordfollowedbythenewname:
C:\>LogParser-i:EVT-o:NAT"SELECTTO_DATE(TimeGenerated)ASDateGenerated,TO_UPPERCASE(EXTRACT_TOKEN(EventTypeName,0,''))ASTypeName,SourceNameFROMSystem"DateGeneratedTypeNameSourceName-----------------------------------------------2004-03-14WARNINGW32Time2004-03-14INFORMATIONDisk2004-03-14INFORMATIONDisk2004-03-14INFORMATIONEventLog2004-03-14WARNINGW32Time2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONServiceControlManager2004-03-13INFORMATIONEventLog2004-03-12INFORMATIONServiceControlManager
Aliasingafield-expressionmeansassigninganametoit;aswewillseelater,thisnamecanalsobeusedanywhereelseinthequeryasashortcutthatreferstotheoriginalfield-expression.
©2004MicrosoftCorporation.Allrightsreserved.
Page 40
FilteringInputRecordsWhenretrievingdatafromanInputFormat,itisoftenneededtofilteroutunneededrecordsandonlykeepthosethatmatchspecificcriteria.
Forexample,considerthesimplecommandseenintheprevioussection,whichreturnsselectedfieldsfromalloftheeventsintheSystemeventlog:
C:\>LogParser-i:EVT-o:NAT"SELECTTimeGenerated,EventTypeName,SourceNameFROMSystem"TimeGeneratedEventTypeNameSourceName-----------------------------------------------------------2004-03-1418:56:55WarningeventW32Time2004-03-1414:02:23InformationeventDisk2004-03-1414:02:23InformationeventDisk2004-03-1412:00:00InformationeventEventLog2004-03-1400:41:47WarningeventW32Time2004-03-1322:17:00InformationeventServiceControlManager2004-03-1322:06:48InformationeventServiceControlManager2004-03-1322:06:48InformationeventServiceControlManager2004-03-1312:00:00InformationeventEventLog2004-03-1222:30:47InformationeventServiceControlManager
Let'snowassumethatweareonlyinterestedintheeventsgeneratedbythe"ServiceControlManager"source.Toaccomplishthistask,wecanuseanotherbasicbuildingblockoftheLogParserSQL-Likelanguage:theWHEREclause.
TheWHEREclauseisusedtospecifyabooleanexpressionthatmustbesatisfiedbyaninputrecordforthatrecordtobeoutput.Inputrecordsthatdonotsatisfytheconditionwillbediscarded.InSQLterms,filteringrecordswiththeWHEREclauseisatransformationcalledselection.
UsingtheWHEREclause,wecanrewritethepreviouscommandasfollows:
C:\>LogParser-i:EVT-o:NAT"SELECTTimeGenerated,EventTypeName,SourceNameFROMSystemWHERESourceName='ServiceControlManager'" Tip:TheWHEREclausemustimmediatelyfollowtheFROM
clause.
Theoutputofthiscommandis:
TimeGeneratedEventTypeNameSourceName-----------------------------------------------------------2004-03-1322:17:00InformationeventServiceControlManagerLet'sanalyzeindetailtheWHEREclauseusedinthisexample.Thebooleanconditionthatwehaveusedisaverysimpleone:weonly
Page 41
2004-03-1322:06:48InformationeventServiceControlManager2004-03-1322:06:48InformationeventServiceControlManager2004-03-1222:30:47InformationeventServiceControlManager2004-03-1222:12:32InformationeventServiceControlManager2004-03-1221:09:14InformationeventServiceControlManager
wantthoseinputrecordswhose"SourceName"fieldhastheexactvalueof"ServiceControlManager".Tospecifythiscondition,wehaveusedthe"="relationaloperator,withtheleftoperandbeingthe"SourceName"field,andtherightoperandbeingaSTRINGconstant.
Page 42
ComplexConditionsConditionsspecifiedintheWHEREclausecanbemorecomplex,makinguseofcomparisonoperators(suchas">","<=","<>","LIKE","BETWEEN",etc.)andbooleanoperators(suchas"AND","OR","NOT").
Forexample,wemightonlywanttoseetwokindsofevents:
Eventsgeneratedbythe"ServiceControlManager"sourcewhoseEventIDisgreaterthanorequal7024;Eventsgeneratedbythe"W32Time"source.
Toaccomplishthis,thequerycanbewrittenasfollows:
SELECTTimeGenerated,EventTypeName,SourceNameFROMSystemWHERE(SourceName='ServiceControlManager'ANDEventID>=7024)OR(SourceName='W32Time')Asanotherexample,wemightwanttoseealltheeventsthathavebeenloggedinthepast24hours.TranslatedintoWHEREterms,thismeansthatweonlywanttoseerecordswhose"TimeWritten"fieldisgreaterthanorequalthecurrentlocaltimeminus1day:
SELECT*FROMSystemWHERETimeWritten>=SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()),TIMESTAMP('0000-01-02','yyyy-MM-dd'))Tip:InLogParsertheoriginoftimeisday1ofmonth1ofyear
zero.Thismeansthatatimespanofonedaycanbespecifiedasday2ofmonth1ofyearzero,i.e.24hoursaftertheoriginoftime.
Toseesecurityeventswhose"Message"fieldcontainstheword"logon",wecanusetheLIKEoperator,whichtestsaSTRINGvalueforcase-insensitivepatternmatching:
SELECT*FROMSecurity
Page 43
WHEREMessageLIKE'%logon%'
IfwewanttoretrieveeventswithanIDbelongingtoaspecificsetofvalues,wecanusetheINoperatorfollowedbyalistofthedesired"EventID"values:
SELECT*FROMSecurityWHEREEventIDIN(547;541;540;528)
Tip:WiththeINoperator,singlevaluesareseparatedbythesemicoloncharacter.
Ontheotherhand,ifwewanttoretrieveeventswithanIDbelongingtoaspecificrangeofvalues,wecanusetheBETWEENoperatorasfollows:
SELECT*FROMSecurityWHEREEventIDBETWEEN528AND547
©2004MicrosoftCorporation.Allrightsreserved.
Page 44
SortingOutputRecordsAcommonlyusedbuildingblockofSQLqueriesistheORDERBYclause.TheORDERBYclausecanbeusedtospecifythattheoutputrecordsshouldbesortedaccordingtothevaluesofselectedfields.
Inthefollowingexample,weareusingtheFSInputFormattoretrievealistingofthefilesinaspecificdirectory,sortingthelistingbythefilesize:
C:\>LogParser-i:FS-o:NAT"SELECTPath,SizeFROMC:\MyDirectory\*.*ORDERBYSize"PathSize-------------------------------------------C:\MyDirectory\..0C:\MyDirectory\.0C:\MyDirectory\ieexec.exe.config140C:\MyDirectory\csc.exe.config163C:\MyDirectory\vbc.exe.config163C:\MyDirectory\jsc.exe.config163C:\MyDirectory\l_except.nlp168C:\MyDirectory\caspol.exe.config353C:\MyDirectory\ilasm.exe.config353C:\MyDirectory\ConfigWizards.exe.config353
Tip:TheORDERBYclausemustbethelastclauseappearinginaLogParserSQLquery.
Bydefault,outputrecordsaresortedaccordingtoascendingvalues.WecanchangethesortdirectionbyappendingtheDESC(fordescending)orASC(forascending)keywordstotheORDERBYclause,asinthefollowingexample:
C:\>LogParser-i:FS-o:NAT"SELECTPath,SizeFROMC:\MyDirectory\*.*ORDERBYSizeDESC"PathSize----------------------------------------------C:\MyDirectory\mscorsvr.dll2494464C:\MyDirectory\mscorwks.dll2482176C:\MyDirectory\corperfmonsymbols.ini2435148C:\MyDirectory\mscorlib.dll2088960C:\MyDirectory\System.Windows.Forms.dll2039808C:\MyDirectory\System.Design.dll1699840C:\MyDirectory\mscorcfg.dll1564672
Tip:DifferentlythanthestandardSQLlanguage,theLogParserSQL-LikelanguagesupportsonlyoneDESCorASCkeywordforthewholeORDERBYclause.
Ifwewantourlistingtobesortedfirstbyfilesizeandthenbyfilecreationtime,wecandosobyspecifyingbothfield-expressionsintheORDERBYclause:
C:\>LogParser-i:FS-o:NAT"SELECTName,Size,CreationTimeFROMC:\
Page 45
MyDirectory\*.*ORDERBYSize,CreationTime"NameSizeCreationTime---------------------------------------------------..02004-05-2408:14:07.221.02004-05-2408:14:07.221ieexec.exe.config1402004-05-2408:14:21.441csc.exe.config1632004-05-2408:14:21.191jsc.exe.config1632004-05-2408:14:21.762vbc.exe.config1632004-05-2408:14:26.599l_except.nlp1682004-05-2408:14:21.812caspol.exe.config3532004-05-2408:14:20.920ConfigWizards.exe.config3532004-05-2408:14:21.21cvtres.exe.config3532004-05-2408:14:21.251
Sincethesortoperationisperformedonoutputrecords,theLogParserSQL-Likelanguagerequiresthatfield-expressionsappearingintheORDERBYclausemustalsoappearintheSELECTclause.Inotherwords,thesetoffield-expressionsintheORDERBYclausemustbeasubsetofthefield-expressionsintheSELECTclause.Thus,thefollowingexampleisNOTcorrect:
SELECTSourceName,EventIDFROMSystemORDERBYTimeGeneratedOntheotherhand,thefollowingexampleIScorrect:
SELECTSourceName,EventID,TimeGeneratedFROMSystemORDERBYTimeGenerated
©2004MicrosoftCorporation.Allrightsreserved.
Page 46
AggregatingDataWithinGroupsAllthequeryexamplesthatwehaveseensofarshareacommoncharacteristic:thevaluesofeachoutputrecordwerebuiltuponthevaluesofasingleinputrecord.Sometimes,however,wemightneedtoaggregatemultipleinputrecordstogetherandperformsomeoperationongroupsofinputrecords.Toaccomplishthistask,theLogParserSQL-Likelanguagehasaspecialsetoffunctionsthatcanbeusedtoperformbasiccalculationsonmultiplerecords.Theseaggregatefunctions(alsoreferredtoas"SQLfunctions")includeSUM,COUNT,MAX,MIN,andAVG.
Page 47
AggregatingDataToshowaclassicexampleoftheuseofaggregatefunctions,assumethatgivenanIISW3Clogfile,wewanttocalculatethetotalnumberofbytessentbytheIISserverduringthewholeperiodrecordedinthelogfile.ConsideringthatthenumberofbytessentbytheIISserverforeachHTTPrequestisloggedinthe"sc-bytes"field,ourcommandwilllooklikethefollowingexample:
C:\>LogParser-i:IISW3C-o:NAT"SELECTSUM(sc-bytes)FROMex040528.log"SincetheSELECTclauseofthisquerymakesuseoftheSUMaggregatefunction,thequerywillautomaticallyaggregatealltheinputrecords,andcalculatethesumofallthevaluesofthe"sc-bytes"fieldacrossalltheinputrecords;theoutputofthiscommandwillthenlooklikethefollowingoutput:
SUM(sc-bytes)-------------242834732Astheexampleshows,theresultofthequeryisasingleoutputrecord,containingasinglevaluecalculatedacrossalltheinputrecords.
Asanotherexample,wemightwanttocalculatehowmanyrequestshavebeenloggedinthelogfile.ConsideringthateachlogfileentryrepresentsasingleHTTPrequest,thistaskcanbeaccomplishedbysimplycountinghowmanyinputrecordsareloggedinthefile:
C:\>LogParser-i:IISW3C-o:NAT"SELECTCOUNT(*)FROMex040528.log"TheexampleabovemakesuseoftheCOUNTaggregatefunction.Whenusedwiththespecial"*"argument,theCOUNTfunctionreturnsthetotal
Page 48
numberofinputrecordsprocessedbythequery.
Ifwewanttocalculatehowmanyrequestssatisfyaparticularcondition,forexamplehowmanyrequestswereforanASPpage,wecanaddaWHEREclausetothequery,andtheCOUNTfunctionwillonlycountinputrecordssatisfyingtheWHEREcondition:
SELECTCOUNT(*)FROMex040528.logWHEREEXTRACT_EXTENSION(cs-uri-stem)LIKE'asp'
Page 49
CreatingGroupsIntheexamplesabove,wehavebeenusingaggregatefunctionstocalculateavalueacrossalltheinputrecords;sometimes,however,wemightwanttocalculatevaluesacrossgroupsofinputrecords.
Asanexample,wemightwanttocalculatethetotalnumberofbytessentbytheIISserverforeachURL.Toperformthistask,weneedtodividealltheinputrecordsintogroupsaccordingtotheURLrequested,andthenusetheSUMaggregatefunctionseparatelyoneachgroup.
ThiscanbeaccomplishedbyusinganotherbuildingblockoftheLogParserSQLlanguage:theGROUPBYclause.TheGROUPBYclauseisusedtospecifywhichfieldswewantthegroupsubdivisiontobebasedon;aftertheinputrecordshavebeendividedintothesegroups,alltheaggregatefunctionsintheSELECTclausewillbecalculatedseparatelyoneachofthesegroups,andthequerywillreturnanoutputrecordforeachgroupcreated.
UsingtheGROUPBYclause,ourexamplequeryanditsoutputwilllooklikethis:
SELECTcs-uri-stem,COUNT(*)FROMex040528.logGROUPBYcs-uri-stemcs-uri-stemCOUNT(*)------------------------------/Home/default.asp5/Home/images/bckgd.gif419/Docs/expl.htm12/Docs/main.htm26/login/frmx.dll1
Tomakeanotherexample,assumethatwewanttocalculatehowmanyrequestshavebeenservedforeachpagetype(ASP,html,CSS,etc.).Firstofall,weneedtocreateseparategroupsaccordingtotheextensionoftheURL;afterthisgroupsubdivisionhasbeendone,wecancalculateaCOUNT(*)oneachgroup:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,COUNT(*)FROMex040528.logTheoutputwilllooklike:
Page 50
GROUPBYPageTypePageTypeCOUNT(ALL*)--------------------htm115css22gif585exe25nsf142swf11jpg77html1dll1asp5js11class5
Ifwesorttheoutputaboveaccordingtothenumberofrequestsforeachgroup,wewillbecreatingalistshowingthemostrequestedpagetypesfirst:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,COUNT(*)ASPageTypeHitsFROMex040528.logGROUPBYPageTypeORDERBYPageTypeHitsDESC
Theoutputwilllooklike:
PageTypePageTypeHits--------------------gif585nsf142htm115jpg77exe25css22js11swf11asp5class5dll1html1
Groupscanalsobebuiltonmultiplefields,thuscreatingahierarchyofgroups.
Forexample,considerthefollowingquery:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,COUNT(*)FROMex040528.logGROUPBYPageType,sc-statusThisquerycreatesgroupsaccordingtotherequestedpagetype,andwithineachofthesegroups,sub-groupsarecreatedaccordingtotheHTTPstatussentbytheIISserverforthegrouppagetype;theaggregatefunction"COUNT"willthenbecalculatedoneachsub-group.Theoutputwilllooklike:
PageTypesc-statusPageTypeHits-----------------------------htm30479css30410gif304450exe20025nsf200129swf2003gif40412css4049
It'simportanttonoteaparticularlanguageconstraintderivedfromtheuseoftheGROUPBYclause.WheneveraquerycontainsaGROUPBYclause,itsSELECTclausecanonlycontainanyofthefollowing:
AggregatefunctionsField-expressionsappearingalsointheGROUPBYclause,orderiving
Page 51
htm20034css2003jpg20017gif200123jpg30460swf3048nsf4033html4041dll5001asp2005js3047class3044js2004htm4042class2001nsf3049nsf3021
fromthefield-expressionsusedintheGROUPBYclauseConstants
Inotherwords,thefollowingexampleisacorrectquery:
SELECT'hello',TO_UPPERCASE(cs-uri-stem),COUNT(*),SUM(sc-bytes)FROMex040528.logGROUPBYcs-uri-stemInfact,theSELECTclauseintheexampleabovecontains:Aconstant("'hello'");Afield-expression("TO_UPPERCASE(cs-uri-stem)")whoseargumentappearsintheGROUPBYclause;Twoaggregatefunctions.
However,thefollowingexampleisNOTacorrectquery:
SELECTdate,COUNT(*),SUM(sc-bytes)FROMex040528.logGROUPBYcs-uri-stemTheSELECTclauseintheexampleabovecontainsafield-expression("date")thatdoesnotappearintheGROUPBYclause.
ThefollowingexampleisalsoNOTacorrectquery:
SELECTTO_UPPERCASE(cs-uri-stem),COUNT(*),SUM(sc-bytes)FROMex040528.logGROUPBYSUBSTR(TO_UPPERCASE(cs-uri-stem),0,5)TheSELECTclauseintheexampleabovecontainsafield-expression("TO_UPPERCASE(cs-uri-stem)")thatisnotderivedfromanyfield-expressionintheGROUPBYclause;inthiscase,it'sactuallythefield-expressionintheGROUPBYclausethatisderivedfromafield-expressionintheSELECTclause.Thepreviousexamplecanbecorrectedasfollows:
SELECTSUBSTR(TO_UPPERCASE(cs-uri-stem),0,5),COUNT(*),SUM(sc-bytes)FROMex040528.logGROUPBYSUBSTR(TO_UPPERCASE(cs-uri-stem),0,5)©2004MicrosoftCorporation.Allrightsreserved.
Page 52
CalculatingPercentagesWhenworkingwithgroupsandaggregatefunctions,itisoftenneededtorepresentanaggregatevalueasapercentage,ratherthanasanabsolutevalue.Wemightwant,forexample,tocalculatethenumberofhitsperpagetypefromaWebserverlogasapercentagerelativetothetotalnumberofhits,ratherthanastheabsolutenumberitself.
Considerthepreviousexamplequery,thatcalculatesthecountofhitsperrequestedpagetype:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,COUNT(*)FROMex040528.logGROUPBYPageTypePageTypeCOUNT(ALL*)--------------------htm115css22gif585exe25nsf142swf11jpg77html1dll1asp5js11class5
Ifwewantedtocalculatethepercentageofhitsforeachgroup,wewouldneedtodividethenumberofhitswithineachgroupbythetotalnumberofhitsinthewholelogfile;however,theuseoftheGROUPBYclauserestrictseachaggregatefunctiontooperatewithinthesinglegroups,thusmakingitimpossibletocalculateatthesametimethetotalnumberofhitsacrossallgroups.
Toworkaroundthisproblem,weusetwospecialaggregatefunctionsavailableintheLogParserSQLlanguage:PROPCOUNTandPROPSUM.Whenusedintheirbasicforms,thesefunctionscalculatetheratiooftheCOUNTorADDaggregatefunctionswithinagrouptotheCOUNTorADDaggregatefunctionsonalloftheinputrecords.
UsingthePROPCOUNTfunction,wecanchangethequeryaboveasfollows:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,PROPCOUNT(*)Andobtain:
Page 53
FROMex040528.logGROUPBYPageTypePageTypePROPCOUNT(ALL*)------------------------htm0.115000css0.022000gif0.585000exe0.025000nsf0.142000swf0.011000jpg0.077000html0.001000dll0.001000asp0.005000js0.011000class0.005000
Toshowrealpercentages,wecanmultiplytheaggregatefunctionvaluesby100:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,MUL(PROPCOUNT(*),100.0)ASPageTypeHitsFROMex040528.logGROUPBYPageTypePageTypePageTypeHits--------------------htm11.500000css2.200000gif58.500000exe2.500000nsf14.200000swf1.100000jpg7.700000html0.100000dll0.100000asp0.500000js1.100000class0.500000
Fromtheresultsofthisquerywecaninferthat,forexample,requeststo"css"pagesrepresentthe2.2%ofthetotalnumberofrequestsinthislogfile.
Page 54
CalculatingPercentagesAcrossMultipleGroupHierarchiesTheexamplesaboveshowthebasicformofthePROPCOUNTandPROPSUMfunctions,whichcalculatesthepercentageofanaggregatefunctionwithinagrouprelativetoalloftheinputrecords.However,itisalsopossibletousethePROPCOUNTandPROPSUMfunctionstocalculatepercentagesrelativetohierarchicallyhighergroups.Todoso,wecanusetheONkeywordafterthePROPCOUNTorPROPSUMfunctionnamefollowedbyalistoftheGROUPBYfield-expressionsidentifyingwhichhierarchicallyhighergroupwewantthepercentagetoberelativeto.
Consideroneofthepreviousexamples,inwhichwecalculatedthetotalnumberofhitsperpagetypeperHTTPstatuscode,modifiedtoshowpercentagesratherthanabsolutenumbers:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,MUL(PROPCOUNT(*),100.0)ASHitsFROMex040528.logGROUPBYPageType,sc-statusORDERBYPageType,sc-status
PageTypesc-statusHits-----------------------------asp2000.500000class2000.100000class3040.400000css2000.300000css3041.000000css4040.900000dll5000.100000exe2002.500000gif20012.300000gif30445.000000gif4041.200000htm2003.400000htm3047.900000
The"Hits"fieldshowsthepercentageofhitsforapagetypeandHTTPstatuscoderelativetothetotalnumberofhits.
IfwewantedtocalculatethepercentageofhitsforapagetypeandHTTPstatuscoderelativetothenumberofhitsforthatpagetype(i.e.thedistributionofHTTPstatuscodeswithineachpagetype),wewouldhavewrittenthequeryasfollows:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,MUL(PROPCOUNT(*)ON(PageType),100.0)ASHitsFROMex040528.logGROUPBYPageType,sc-statusORDERBYPageType,sc-status
Theoutputwouldbe:
PageTypesc-statusHits---------------------------
Page 55
htm4040.200000html4040.100000jpg2001.700000jpg3046.000000js2000.400000js3040.700000nsf20012.900000nsf3020.100000nsf3040.900000nsf4030.300000swf2000.300000swf3040.800000
asp200100.000000class20020.000000class30480.000000css20013.636364css30445.454545css40440.909091dll500100.000000exe200100.000000gif20021.025641gif30476.923077gif4042.051282htm20029.565217htm30468.695652htm4041.739130html404100.000000jpg20022.077922jpg30477.922078js20036.363636js30463.636364nsf20090.845070nsf3020.704225nsf3046.338028nsf4032.112676swf20027.272727swf30472.727273
Wecannowinferthat,forexample,about45%ofrequeststo"css"pagesreturnedanHTTPstatuscodeof304.
HerewehaveusedtheONkeywordfollowedbythe"PageType"GROUPBYfield-expression.ThisnotationindicatesthatwewantthePROPCOUNTfunctiontocalculatetheratiooftheCOUNTaggregatefunctionwithinasinglegrouptotheCOUNTaggregatefunctionwithinthehierarchicallyhighergroupidentifiedbythe"PageType"field-expression.
Asanotherexample,wecanmodifythepreviousexamplequerytocreategroupsbasedonthetimetherequestwasmadeat(quantizedat20-secondintervals),thepagetype,andtheHTTPstatuscode:
SELECTQUANTIZE(time,20)ASInterval,EXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-statusFROMex040528.logGROUPBYInterval,PageType,sc-statusORDERBYInterval,PageType,sc-status
Foreachgroup,wecancalculatethepercentageofhitsrelativetothenumberofhitswithinthetimeintervalandpagetype,thepercentageofhitsrelativetothenumberofhitswithinthetimeintervalalone,andthepercentageofhitsrelativetothetotalnumberofhits:
SELECTQUANTIZE(time,20)ASInterval,EXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,MUL(PROPCOUNT(*)ON(Interval,PageType),100.0)ASHits1,MUL(PROPCOUNT(*)ON(Interval),100.0)ASHits2,MUL(PROPCOUNT(*),100.0)ASHits3FROMex040528.logGROUPBYInterval,PageType,sc-statusORDERBYInterval,PageType,sc-status
IntervalPageTypesc-statusHits1Hits2Hits3-----------------------------------------------------00:28:40css20020.0000001.4705880.10000000:28:40css30460.0000004.4117650.30000000:28:40css40420.0000001.4705880.10000000:28:40exe200100.0000007.3529410.50000000:28:40gif20010.0000001.4705880.10000000:28:40gif30470.00000010.2941180.70000000:28:40gif40420.0000002.9411760.20000000:28:40htm20011.7647062.9411760.20000000:28:40htm30488.23529422.0588241.50000000:28:40jpg20025.0000001.4705880.10000000:28:40jpg30475.0000004.4117650.30000000:28:40nsf200100.00000035.2941182.400000
Fromthequeryresultswecaninfer,forexample,thatduringthe"00:29:20"timeinterval,about78%oftherequeststo"htm"pagesreturnedtheHTTPstatuscode304.Inthesametimeinterval,requeststo"htm"pagesreturningtheHTTPstatuscode304madeupforabout10%oftherequests,andtheserequestsrepresentthe1.5%ofthetotalnumberofrequestsinthelog.
TheexampleaboveshowsthataPROPCOUNTorPROPSUMfunctionwithnoONkeywordislogicallyequivalenttousingtheONkeywordfollowedbyanemptylistofGROUPBYfield-expressions,meaningthatthepercentagetobecalculatedshouldberelativetothehighesthierarchicalgroupidentifiedbynofield-expression,i.e.thewholesetofinputrecords.
Page 56
00:28:40swf20033.3333331.4705880.10000000:28:40swf30466.6666672.9411760.20000000:29:00ASP200100.0000000.2169200.10000000:29:00GIF200100.0000000.4338390.20000000:29:00asp200100.0000000.2169200.10000000:29:00class20050.0000000.2169200.10000000:29:00class30450.0000000.2169200.10000000:29:00css20014.2857140.2169200.10000000:29:00css30428.5714290.4338390.20000000:29:00css40457.1428570.8676790.40000000:29:00dll500100.0000000.2169200.10000000:29:00exe200100.0000001.9522780.90000000:29:00gif20021.79487214.7505426.80000000:29:00gif30476.92307752.06073824.00000000:29:00gif4041.2820510.8676790.40000000:29:00htm20034.0909093.2537961.50000000:29:00htm30463.6363646.0737532.80000000:29:00htm4042.2727270.2169200.10000000:29:00html404100.0000000.2169200.10000000:29:00jpg20035.0000001.5184380.70000000:29:00jpg30465.0000002.8199571.30000000:29:00js20050.0000000.4338390.20000000:29:00js30450.0000000.4338390.20000000:29:00nsf20094.33962310.8459875.00000000:29:00nsf4035.6603770.6507590.30000000:29:00swf20050.0000000.4338390.20000000:29:00swf30450.0000000.4338390.20000000:29:20NSF200100.0000002.1276600.30000000:29:20asp200100.0000000.7092200.10000000:29:20class304100.0000000.7092200.10000000:29:20css30460.0000002.1276600.30000000:29:20css40440.0000001.4184400.20000000:29:20exe200100.0000002.8368790.40000000:29:20gif30497.14285748.2269506.80000000:29:20gif4042.8571431.4184400.20000000:29:20htm20015.7894742.1276600.30000000:29:20htm30478.94736810.6382981.500000
Inaddition,itisalsoworthmentioningthatthelistoffield-expressionsspecifiedaftertheONkeywordmustbeaproperprefixoftheGROUPBYfield-expressions.If,forexample,theONkeywordisfollowedbythreefield-expressions,thenthesethreefield-expressionsmustmatchthefirstthreefield-expressionsintheGROUPBYclause,andtheymustalsoappearinthesameorderastheydointheGROUPBYclause.Inotherwords,eachPROPCOUNTfunctioninthefollowingqueryiscorrect,sincethelistsoffield-expressionsaftertheONkeywordareallaproperprefixoftheGROUPBYfield-expressions:
SELECTQUANTIZE(time,20)ASInterval,EXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,MUL(PROPCOUNT(*)ON(Interval,PageType),100.0)ASHits1,MUL(PROPCOUNT(*)ON(Interval),100.0)ASHits2FROMex040528.logGROUPBYInterval,PageType,sc-status
However,noneofthePROPCOUNTfunctionsinthefollowingqueryiscorrect,sincethelistsoffield-expressionsaftertheONkeywordarenotaproperprefixoftheGROUPBYfield-expressions:
SELECTQUANTIZE(time,20)ASInterval,EXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,MUL(PROPCOUNT(*)ON(PageType,sc-status),100.0)ASHits1,MUL(PROPCOUNT(*)ON(PageType),100.0)ASHits2,MUL(PROPCOUNT(*)ON(Interval,sc-status),100.0)ASHits2,FROMex040528.logGROUPBYInterval,PageType,sc-status
©2004MicrosoftCorporation.Allrightsreserved.
Page 57
00:29:20htm4045.2631580.7092200.10000000:29:20jpg20015.3846151.4184400.20000000:29:20jpg30484.6153857.8014181.10000000:29:20js20050.0000001.4184400.20000000:29:20js30450.0000001.4184400.20000000:29:20nsf20061.1111117.8014181.10000000:29:20nsf3025.5555560.7092200.10000000:29:20nsf30433.3333334.2553190.60000000:29:20swf304100.0000002.1276600.300000
Page 58
FilteringGroupsConsideragainoneofthepreviousexamples,inwhichweusedtheCOUNTaggregatefunctiontocalculatethenumberoftimeseachpagetypehasbeenrequested:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,COUNT(*)ASPageTypeHitsFROMex040528.logGROUPBYPageTypeORDERBYPageTypeHitsDESC
PageTypePageTypeHits--------------------gif585nsf142htm115jpg77exe25css22js11swf11asp5class5dll1html1
Let'snowassumethatweareonlyinterestedinseeingpagetypesthathavebeenrequested10timesormore.
Atfirstglance,itmightseemthatwecoulduseaWHEREclausewithaconditiononthevalueoftheCOUNTaggregatefunctiontofilterouttheundesiredgroups.However,wehaveseenthattheWHEREclauseisusedtofilterinputrecords,whichmeansthatthisclauseisevaluatedbeforegroupsarecreated.Forthisreason,useofaggregatefunctionsisnotallowedintheWHEREclause.
ThetaskathandcanbeaccomplishedbyusingtheHAVINGclause.TheHAVINGclauseworksjustliketheWHEREclause,withtheonlydifferencebeingthattheHAVINGclauseisevaluatedaftergroupshavebeencreated,whichmakesitpossiblefortheHAVINGclausetospecifyaggregatefunctions.
Tip:TheHAVINGclausemustimmediatelyfollowtheGROUPBYclause.
UsingtheHAVINGclause,wecanwritetheexampleaboveas:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,COUNT(*)ASPageTypeHitsFROMex040528.logGROUPBYPageTypeAndobtain:
Page 59
HAVINGPageTypeHits>=10ORDERBYPageTypeHitsDESCPageTypePageTypeHits--------------------gif585nsf142htm115jpg77exe25css22js11swf11
©2004MicrosoftCorporation.Allrightsreserved.
Page 60
EliminatingDuplicateValuesWhenworkingwithinformationfromlogs,itisoftendesiredtoretrievealistofsomevalueswhereeachelementinthelistappearsonlyonce,regardlessofthenumberoftimesthesamevalueappearsintheoriginaldata.
Asanexample,considerthefollowingquery,whichextractsallthedomainaccountsthathaveloggedonacomputerfromthe"Security"eventlog:
SELECTRESOLVE_SID(Sid)ASAccountFROM\\TESTMACHINE1\SecurityWHEREEventIDIN(540;528)Theoutputofthisqueryisalistofallthedomainaccountsappearingineach"Logon"event:
Account------------------------------------------------NTAUTHORITY\LOCALSERVICENTAUTHORITY\NETWORKSERVICENTAUTHORITY\NETWORKSERVICENTAUTHORITY\NETWORKSERVICETESTDOMAIN\TESTUSER1NTAUTHORITY\LOCALSERVICENTAUTHORITY\LOCALSERVICETESTDOMAIN\TESTUSER1TESTDOMAIN\TESTUSER2NTAUTHORITY\LOCALSERVICETESTDOMAIN\TESTUSER1
Ifweareinterestedinretrievingalistinwhicheachaccountnameappearsonlyonce,wecouldusetheDISTINCTkeywordintheSELECTclauseasfollows:
SELECTDISTINCTRESOLVE_SID(Sid)ASAccountFROM\\TESTMACHINE1\SecurityWHEREEventIDIN(540;528)Andobtain:
Account------------------------------------------------NTAUTHORITY\LOCALSERVICENTAUTHORITY\NETWORKSERVICETESTDOMAIN\TESTUSER1TESTDOMAIN\TESTUSER2
TheDISTINCTkeywordisusedtoindicatethattheoutputofaqueryshouldconsistofuniquerecords;duplicateoutputrecordsarediscarded.
Asanotherexample,wemightwanttoretrievealistofallthebrowsersusedtorequestpagesfromourIISserver,witheachbrowserappearingonlyonceinthelist:
SELECTDISTINCTcs(User-Agent)FROM<1>
Page 61
cs(User-Agent)--------------------------------------------------------------------Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)Mozilla/4.05+[en]Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+Q312461)Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0)Microsoft+Data+Access+Internet+Publishing+Provider+Cache+ManagerMozilla/2.0+(compatible;+MS+FrontPage+4.0)MSFrontPage/4.0Microsoft+Data+Access+Internet+Publishing+Provider+DAV
ItisalsopossibletousetheDISTINCTkeywordinsidetheCOUNTaggregatefunction,inordertoretrievethetotalnumberofdifferentvaluesappearinginthedata.
Forexample,thefollowingqueryreturnsthetotalnumberofdifferentbrowsersandthetotalnumberofdifferentclientIPaddressesthatrequestedpagesfromourIISserver:
SELECTCOUNT(DISTINCTcs(User-Agent))ASBrowsers, COUNT(DISTINCTc-ip)ASClientsFROM<1>BrowsersClients---------------3563379Tip:IntheLogParserSQL-Likelanguage,theDISTINCTkeyword
canbeusedinsideaggregatefunctionsonlywhentheGROUPBYclauseisnotused.
©2004MicrosoftCorporation.Allrightsreserved.
Page 62
RetrievingaFixedNumberofRecordsOneofthemostcommonlogreportsisa"TOP10"listshowingthetopentriesappearinginaranking.Thisisusuallyachievedwithaquerythatcalculatessomeaggregatefunctionwithingroups,ordersthegroupsbythevalueoftheaggregatefunction,andthenusestheTOPkeywordintheSELECTclausetoreturnonlyafewrecordsatthetopoftheorderedoutput.
Asanexample,thefollowingqueryreturnstheTOP10URL'srequestedfromanIISlogfile:
SELECTTOP10cs-uri-stemASUrl, COUNT(*)ASHitsFROM<1>GROUPBYUrlORDERBYHitsDESC
UrlHits-----------------------------------/police/laws.nsf25183/cgi-bin/counts.exe5694/police/rulesinfo.nsf5202/police/laws.nsf3980/images/address.gif3609/image/1_m.jpg3540/npanews0.htm3305/images/tibg.gif2955/startopen/startopen920707.htm2502/police/find.nsf2465
ThiskindofreportsisaperfectcandidatefortheCHARTOutputFormat;assumingthatthefollowingqueryissavedinthe"querytop.sql"textfile,thefollowingcommandwillgenerateanimagefilecontainingachartofthequeryoutputabove:
SELECTTOP10cs-uri-stemASUrl, COUNT(*)ASHitsINTOUrls.gifFROM<1>GROUPBYUrlORDERBYHitsDESC
C:\>LogParserfile:querytop.sql-o:chart-chartType:Bar3d-chartTitle:"TOP10URL"
Page 63
©2004MicrosoftCorporation.Allrightsreserved.
Page 64
ImprovingQueryReadabilityThefunctionsavailableintheLogParserSQLlanguagemakeitpossibletowritecomplexqueriesoperatingonaverylargenumberofpossibletransformationsoftheinputfields;however,thesecomplexqueriesmightsometimesbecumbersometowrite.
Asanexample,considerthetaskofwritingaquerythatextractsfromtheSecurityeventlogalltheusersbelongingtoaspecificdomainthatloggedonthiscomputer.Forthepurposeoftheexample,let'salsoassumethatwewanttheusernamesaslowercasestrings,andthatwearewritingthequeryasaSQLfilethattakesalowercasedomainnameasaninputparameter.Atfirstthought,thequerywouldlooklikethis:
SELECTEXTRACT_TOKEN(TO_LOWERCASE(RESOLVE_SID(Sid)),1,'\\')ASUsernameFROM SecurityWHERE EventIDIN(540;528)AND EXTRACT_TOKEN(TO_LOWERCASE(RESOLVE_SID(Sid)),0,'\\')='%domainname%'
Toexecutethisquery,wecanusethe"file:"command-lineargument,specifyingavalueforthe"domainname"parameter:
C:\>LogParserfile:myquery.sql?domainname=tstdomain-i:EVT
Whentypingthequeryabove,wehadtorepeattwicethewholeexpressionthattransformstheSidinputrecordfieldintoalowercasefully-qualifiedaccountname:
TO_LOWERCASE(RESOLVE_SID(Sid))
Itwouldbeeasierifwecould,inacertainsense,"assign"thisexpressiontoa"variable",andthenusethevariablewhenneeded.WecoulddefinitelydothatbyaliasingtheexpressionintheSELECTclause:
SELECTTO_LOWERCASE(RESOLVE_SID(Sid))ASFQAccount, EXTRACT_TOKEN(FQAccount,1,'\\')ASUsernameFROM SecurityHowever,theoutputofthisquerynowcontainsanextraneousfield-thefully-qualifiedaccountname:
Page 65
WHERE EventIDIN(540;528)AND EXTRACT_TOKEN(FQAccount,0,'\\')='%domainname%'FQAccountUsername---------------------------------tstdomain\testusr1testusr1tstdomain\testusr1testusr1tstdomain\testusr2testusr2tstdomain\testusr3testusr3
Toobviatethisproblem,theLogParserSQLlanguagesupportstheUSINGclause.TheUSINGclause,anon-standardSQLlanguageelement,isusedtodeclarealiasesinthesamewayaswewouldintheSELECTclause,withthedifferencethatexpressionsintheUSINGclausewillnotappearintheoutputrecords(unlessexplicitlyreferencedintheSELECTclause).
WiththeUSINGclause,thequeryabovecanbewrittenasfollows:
SELECTEXTRACT_TOKEN(FQAccount,1,'\\')ASUsernameUSING TO_LOWERCASE(RESOLVE_SID(Sid))ASFQAccountFROM SecurityWHERE EventIDIN(540;528)AND EXTRACT_TOKEN(FQAccount,0,'\\')='%domainname%'
Tip:TheUSINGclausemustimmediatelyfollowtheSELECTclause.
Theoutputofthisquerywouldlooklikethefollowingsampleoutput:
Username--------testusr1testusr1testusr2testusr3
©2004MicrosoftCorporation.Allrightsreserved.
Page 66
AdvancedFeaturesLogParseroffersauniquesetoffeaturesthatenhanceitsflexibilityinthemostcommonlogprocessingscenarios.Thesefeaturesinclude:
ParsingInputIncrementally:someinputformatsallowLogParsertoparseincrementallylogsthatgrowovertime.MultiplexingOutputRecords:someoutputformatsallowtheoutputrecordsofaquerytobewrittentodifferenttargets,dependingonthevaluesofselectedoutputrecordfields.ConvertingFileFormats:duetoitsarchitecture,LogParsercanbeeasilyusedtoconvertlogfilesfromaformattoanother.CustomPlugins:LogParserallowsuserstodeveloptheirowncustominputformats,andusethemwitheithertheLogParsercommand-lineexecutable,orwiththeLogParserscriptableCOMcomponents.
©2004MicrosoftCorporation.Allrightsreserved.
Page 67
ParsingInputIncrementallyLogParserisoftenusedtoparselogsthatgrowovertime.Forexample,theIISlogsandtheWindowsEventLogarecontinuouslyupdatedwithnewinformation,andinsomecases,wewouldliketoparsetheselogsperiodicallyandonlyretrievethenewrecordsthathavebeenloggedsincethelasttime.Thisisespeciallytrueforscenariosinwhich,forexample,weuseLogParsertoconsolidatelogstoadatabaseinanalmostreal-timefashion,orwhenweuseLogParsertobuildamonitoringsystemthatperiodicallyscanslogsfornewentriesofinterest.
Forthesescenarios,LogParseroffersafeaturethatallowssequentialexecutionsofthesamequerytoonlyprocessnewdatathathasbeenloggedsincethelastexecution.ThisfeaturecanbeenabledwiththeiCheckPointparameterofthefollowinginputformats:
IISW3CNCSAIISHTTPERRURLSCANCSVTSVEVTTEXTLINETEXTWORD
The"iCheckPoint"parameterisusedtospecifythenameofa"checkpoint"filethatLogParserusestostoreandretrieveinformationaboutthe"position"ofthelastentryparsedfromeachofthelogsthatappearinacommand.Whenweexecuteacommandwithacheckpointfileforthefirsttime(i.e.whenthespecifiedcheckpointfiledoesnotexist),LogParserexecutesthequerynormallyandprocessesallthelogsinthecommand,savingfor
Page 68
eachthe"position"ofthelastparsedentrytothecheckpointfile.Iflateronweexecutethesamecommandspecifyingthesamecheckpointfile,LogParserwillparseagainallthelogsinthecommand,buteachlogwillbeparsedstartingaftertheentrythatwaslastparsedbythepreviouscommand,thusproducingrecordsfornewentriesonly.Whenthenewcommandexecutioniscomplete,theinformationinthecheckpointfileisupdatedwiththenew"position"ofthelastentryineachlog.
Note:Checkpointfilesareupdatedonlywhenaqueryexecutessuccesfully.Ifanerrorcausestheexecutionofaquerytoabort,thecheckpointfileisnotupdated.
Tomakeanexample,let'sassumethatthe"MyLogs"foldercontainsthefollowingtextfiles:
Log1.txt,50linesLog2.txt,100linesLog3.txt,20linesLog4.txt,30lines
Let'salsoassumethatwewanttoparsethesetextfilesincrementallyusingtheTEXTLINEInputFormat,whichreturnsaninputrecordforeachlineintheinputtextfiles.Inordertoparsetheselogsincrementally,wespecifythenameofacheckpointfile,makingsurethatthefiledoesnotexistpriortothecommandexecution.Ourcommandwouldlooklikethis:
logparser"SELECT*FROMMyLogs\*.*"-i:TEXTLINE-iCheckPoint:myCheckPoint.lpcWhenthiscommandisexecutedforthefirsttime,LogParserwillreturnallthe200linesfromallofthefourlogfiles,anditwillcreatethe"myCheckPoint.lpc"checkpointfilecontainingthepositionofthelastlineineachofthefourlogfiles.
Tip:Whenthecheckpointfileisspecifiedwithoutapath,LogParserwillcreatethecheckpointfileinthefoldercurrentlysetforthe%TEMP%environmentvariable,usually"\DocumentsandSettings\<username>\LocalSettings\Temp".;
Page 69
Let'snowassumethatthe"Log3.txt"fileisupdated,andthattennewlinesareaddedtothelogfile.Atthismoment,thelogfilesandtheinformationstoredinthecheckpointfilewilllooklikethis:
LogFiles CheckpointfileLog1.txt,50lines Log1.txt,line50Log2.txt,100lines Log2.txt,line100Log3.txt,30lines Log3.txt,line20Log4.txt,30lines Log4.txt,line30Ifweexecuteagainthesamecommand,LogParserwillusethe"myCheckPoint.lpc"filetodeterminewheretostartparsingeachofthelogfiles,anditwillonlyparseandreturnthetennewlinesinthe"Log3.txt"file.Whenthecommandexecutioniscomplete,the"myCheckPoint.lpc"checkpointfileisupdatedtoreflectthenewpositionofthelastlineinthe"Log3.txt"file.
Ifnowanew"Log5.txt"fileiscreatedcontainingtenlines,thelogfilesandtheinformationstoredinthecheckpointfilewilllooklikethis:
LogFiles CheckpointfileLog1.txt,50lines Log1.txt,line50Log2.txt,100lines Log2.txt,line100Log3.txt,30lines Log3.txt,line30Log4.txt,30lines Log4.txt,line30Log5.txt,10lines notrecordedIfweexecuteagainthecommand,LogParserwillonlyparsethenew"Log5.txt"file,returningitstenlines.
Asanotherexampleshowinghowthecheckpointfileisupdated,let'sassumenowthatthe"Log2.txt"fileisdeleted.Thelogfilesandtheinformationstoredinthecheckpointfilewillnowlooklikethis:
LogFiles CheckpointfileLog1.txt,50lines Log1.txt,line50
Page 70
non-existing Log2.txt,line100Log3.txt,30lines Log3.txt,line30Log4.txt,30lines Log4.txt,line30Log5.txt,10lines Log5.txt,line10Whenweexecutethecommand,LogParserwilldetectthattherearenonewentriestoparse,anditwillreturnnorecords.However,uponupdatingthecheckpointfile,itwilldeterminethatthe"Log2.txt"filedoesn'texistanymore,anditwillremovealltheinformationassociatedwiththelogfilefromthecheckpointfile,whichwillnowlooklikethis:
LogFiles CheckpointfileLog1.txt,50lines Log1.txt,line50Log3.txt,30lines Log3.txt,line30Log4.txt,30lines Log4.txt,line30Log5.txt,10lines Log5.txt,line10Atthismomentthecheckpointfiledoesnotcontainanymoreinformationonthe"Log2.txt"file;shouldanew"Log2.txt"fileappearagainforanyreason,asubsequentcommandwouldtreatthefileasanewfile,andallofitsentrieswouldbeparsedfromthebeginningofthefile.
Asalastexample,let'snowassumethatthe"Log1.txt"fileisupdated,butthistimeitssizeshrinksanditendsupcontainingtenlinesonly.Thelogfilesandtheinformationstoredinthecheckpointfilewillnowlooklikethis:
LogFiles CheckpointfileLog1.txt,10lines Log1.txt,line50Log3.txt,30lines Log3.txt,line30Log4.txt,30lines Log4.txt,line30Log5.txt,10lines Log5.txt,line10Whenweexecutethecommand,LogParserwilldetectthatthesizeofthe"Log1.txt"filehaschanged,butinsteadofgrowinglarger,thefileisactuallysmaller.Inthissituation,LogParserassumesthatthefilehasbeenreplacedwithanewone,anditwillparseitasifitwasanewfile,returningallofitstenentries.Afterthecommandexecutioniscomplete,the"myCheckPoint.lpc"
Page 71
checkpointfileisupdatedtoreflectthenewsituation,andthelogfilesandtheinformationstoredinthecheckpointfilewilllooklikethis:
LogFiles CheckpointfileLog1.txt,10lines Log1.txt,line10Log3.txt,30lines Log3.txt,line30Log4.txt,30lines Log4.txt,line30Log5.txt,10lines Log5.txt,line10
Page 72
IncrementalParsingandAggregatedDataIt'simportanttonotethatthecheckpointfileonlyrecordsinformationaboutthefilesbeingparsed;itdoesnotrecordinformationaboutthequerybeingexecuted.Inotherwords,whenweexecuteaquerymultipletimesonasetofgrowingfilesusingacheckpointfile,eachtimethequeryresultsarecalculatedonthenewentriesonly.Thismeansthatqueriesusingaggregateddataneedtobehandledcarefullywhenusedwithcheckpointfiles.
Asanexample,consideragainthefourtextfilesinthefirstscenarioabove,andthefollowingcommand:
logparser"SELECTCOUNT(*)ASTotalFROMMyLogs\*.*"-i:TEXTLINE-iCheckPoint:myCheckPoint.lpcWhenthecommandisexecutedforthefirsttime,the"Total"fieldintheoutputrecordreturnedbythequerywillbeequalto200,thatis,thetotalnumberoflinesinthefourlogfiles.Asinthefirstexample,let'snowassumethatthe"Log3.txt"fileisupdated,andthattennewlinesareaddedtothelogfile.Whenweexecutethecommandagain,the"Total"fieldintheoutputrecordreturnedbythequerywillbenowequalto10,thetotalnumberofnewlinesinthefourlogfiles,andnotto210,asonewouldexpectfromthetotalnumberofrows.
Incaseswhereitisdesirabletocalculateaggregateddataacrossmultipleexecutionsofthesamequerywhenusingincrementalparsing,apossiblesolutionistosavethepartialresultsofeachquerytotemporaryfiles,andthenaggregateallthepartialresultswithanadditionalstep.Usingtheexampleabove,wecouldsavetheresultofthefirstquery("200")tothe"FirstResults.csv"file,andtheresultofthesecondquery("10")tothe"LastResults.csv"file.Thetwofilescouldthenbeconsolidatedintoasinglefilewithacommandlikethis:
Page 73
logparser"SELECTSUM(Total)FROMFirstResults.csv,LastResults.csv"-i:CSV
©2004MicrosoftCorporation.Allrightsreserved.
Page 74
MultiplexingOutputRecordsManyLogParseroutputformatsallowtheusertospecifymultiplefilesasthetargettowhichoutputrecordsarewrittento.Thisisachievedbyusing'*'wildcardcharactersinthefilenamespecifiedintheINTOclause;duringtheexecutionofthequery,thefirstfieldsineachoutputrecordsubstitutethewildcardcharacterstodeterminetheresultingfilenametowhichtheoutputrecordswiththeremainingfieldsarewritten.Inotherwords,thisfeatureallowsoutputrecordstobemultiplexedtodifferenttargetfilesdependingonthevaluesofthefirstfieldsintheoutputrecord.
Tomakeanexample,let'sassumethatwewanttoquerytheWindowsEventLog,andforeacheventsourcename,wewanttocreateaCSVtextfilecontainingallthedistincteventID'sgeneratedbythatsourcename.Thecommandwouldlooklikethefollowingexample:
LogParser"SELECTDISTINCTSourceName,EventIDINTOEvent_*.csvFROMSystem"-i:EVT-o:CSVForeachoutputrecordgeneratedbythisquery,the"SourceName"fieldwillbeusedtosubstitutethewildcardinthetargetfilename,andthe"EventID"fieldwillbewrittentotheCSVfilewiththeresultingfilename.Afterthecommandexecutioniscomplete,wewillhaveasmanyCSVoutputfilesasthenumberofdifferenteventsourcenames:
C:\>dirVolumeindriveChasnolabel.VolumeSerialNumberis49B5-4736
DirectoryofC:
07/19/200408:56AM<DIR>.07/19/200408:56AM<DIR>..07/19/200408:56AM13Event_ApplicationPopup.csv
EachCSVfilewillcontainthedistincteventID'sgeneratedbytheeventsource:
C:\>typeEvent_Tcpip.csvEventID42014202Thereisnolimitonthenumberofwildcardcharactersthatcanbeusedinthetargetfilenames.Wecanmodifytheexampleabovetogenerateadirectoryforeachevent
Page 75
07/19/200408:56AM14Event_AtiHotKeyPoller.csv07/19/200408:56AM23Event_DCOM.csv07/19/200408:56AM33Event_Dhcp.csv07/19/200408:56AM23Event_DnsApi.csv07/19/200408:56AM27Event_EventLog.csv07/19/200408:56AM12Event_GEMPCC.csv07/19/200408:56AM13Event_i8042prt.csv07/19/200408:56AM16Event_Kerberos.csv07/19/200408:56AM15Event_NETLOGON.csv07/19/200408:56AM15Event_NtServicePack.csv07/19/200408:56AM13Event_Print.csv07/19/200408:56AM23Event_RemoteAccess.csv07/19/200408:56AM14Event_SCardSvr.csv07/19/200408:56AM39Event_ServiceControlManager.csv07/19/200408:56AM21Event_Tcpip.csv07/19/200408:56AM29Event_W32Time.csv07/19/200408:56AM14Event_Win32k.csv07/19/200408:56AM15Event_Workstation.csv19File(s)372bytes2Dir(s)34,340,712,448bytesfree
sourcename,andforeacheventIDgeneratedbythesource,aCSVfilecontainingthenumberofeventsloggedwiththatID:
LogParser"SELECTSourceName,EventID,COUNT(*)ASTotalINTO*\ID_*.csvFROMSystemGROUPBYSourceName,EventID"-i:EVT-o:CSVAfterthecommandexecutioniscomplete,wewillhaveasmanydirectoriesasthenumberofdifferenteventsourcenames:
C:\>dirVolumeindriveChasnolabel.VolumeSerialNumberis49B5-4736
DirectoryofC:
07/19/200409:08AM<DIR>.07/19/200409:08AM<DIR>..07/19/200409:08AM<DIR>ApplicationPopup07/19/200409:08AM<DIR>AtiHotKeyPoller07/19/200409:08AM<DIR>DCOM07/19/200409:08AM<DIR>Dhcp07/19/200409:08AM<DIR>DnsApi07/19/200409:08AM<DIR>EventLog07/19/200409:08AM<DIR>GEMPCC07/19/200409:08AM<DIR>i8042prt07/19/200409:08AM<DIR>Kerberos07/19/200409:08AM<DIR>NETLOGON07/19/200409:08AM<DIR>NtServicePack07/19/200409:08AM<DIR>Print07/19/200409:08AM<DIR>RemoteAccess07/19/200409:08AM<DIR>SCardSvr07/19/200409:08AM<DIR>ServiceControlManager07/19/200409:08AM<DIR>Tcpip07/19/200409:08AM<DIR>W32Time07/19/200409:08AM<DIR>Win32k07/19/200409:08AM<DIR>Workstation0File(s)0bytes21Dir(s)34,340,712,448bytesfree
EachdirectorywillcontainasmanyCSVoutputfilesasthenumberofdifferenteventID'sloggedbytheeventsource:
C:\>dirDCOMVolumeindriveChasnolabel.VolumeSerialNumberis49B5-4736
DirectoryofC:\DCOM
07/19/200409:08AM<DIR>.07/19/200409:08AM<DIR>..07/19/200409:08AM10ID_10002.csv07/19/200409:08AM10ID_10010.csv
EachCSVoutputfilewillcontainthenumberofeventsloggedwiththeeventID:
C:\>typeDCOM\ID_10010.csvTotal2Followingisalistoftheoutputformatsthatsupportthe"multiplex"feature:
CSVTSVXMLW3CIISTPL
©2004MicrosoftCorporation.Allrightsreserved.
Page 76
ConvertingFileFormatsConvertingalogfilefromoneformattoanothercanbeeasilyaccomplishedwithLogParserbyexecutingacommandwiththefollowingcharacteristics:
Theinputformatchosenforthecommandshouldmatchtheconversionsourceformat;Theoutputformatchosenforthecommandshouldmatchtheconversiontargetformat;ThequeryshouldcontainaSELECTclausethatperformsthenecessarymodificationsontheinputformatfieldnamesandvaluesinordertomatchtherequirementsofthetargetformat.
WhenusingLogParsertoconvertonelogfileformattoanother,weshouldpaycloseattentiontotheorderandnamesofthefieldsintheinputandoutputformats.Someoutputformats,suchastheIISoutputformat,havefixedfields.WhenconvertingtoIISlogformat,inputformatfieldsshouldbeselectedtomatchtheIISformatexactly.Forexample,whenconvertingaW3CExtendedlogfiletoIISlogformat,weshouldselecttheclientIPaddressfirst,theusernamenext,andsoon.
Inaddition,wemightwanttochangethenameofthefieldsthatweextractfromtheinputformat.Forexample,whenwritingtoaW3CExtendedformatlogfile,LogParserretrievesthenamestobewrittentothe"#Fields"directivefromtheSELECTclause.IfweretrievedatafromanIISlogformatfile,thesenamesarenotthesameasthoseusedbytheW3CExtendedformat,sowemustaliaseveryfieldinordertogetthecorrectfieldname.
Asanexample,considerthefollowingSELECTclausethatconvertsIISlogformatfilestoIISW3CExtendedlogformat:
SELECTTO_DATE(TO_UTCTIME(TO_TIMESTAMP(Date,Time)))ASdate,TO_TIME(TO_UTCTIME(TO_TIMESTAMP(Date,Time)))AStime,ServiceInstanceASs-sitename,WecanseethattheindividualfieldshavebeenrenamedaccordingtotheW3CExtendedconvention,sothattheoutputfileisfullycompliantwith
Page 77
HostNameASs-computername,ServerIPASs-ip,RequestTypeAScs-method,REPLACE_CHR(Target,'\u0009\u000a\u000d','+')AScs-uri-stem,ParametersAScs-uri-query,UserNameAScs-username,UserIPASc-ip,StatusCodeASsc-status,Win32StatusCodeASsc-win32-status,BytesSentASsc-bytes,BytesReceivedAScs-bytes,TimeTakenAStime-taken
theIISW3CExtendedformat.Inaddition,the"date"and"time"fieldsareconvertedfromlocaltime,whichisusedintheIISlogformat,toUTCtime,whichisusedintheW3CExtendedlogformat.
Thecommand-lineLogParserexecutablecanbeusedtorunbuilt-inqueriesthatperformconversionsbetweenthefollowingformats:
BINtoW3CIIStoW3CBINtoIISIISW3CtoIIS
Formoreinformation,refertotheCommand-LineOperationreference.
©2004MicrosoftCorporation.Allrightsreserved.
Page 78
CustomPluginsLogParserallowsuserstodevelopcustominputformatsandusethemwithboththecommand-lineLogParserexecutableandwiththeLogParserscriptableCOMcomponents.
Thereisnorequirementonthelanguagethatcanbeusedtoimplementacustominputformat;forexample,custominputformatscanbeimplementedusinganyofthefollowinglanguages:
C++C#VisualBasic®JScript®orVBScript
CustominputformatsaredevelopedasCOMobjectsimplementingthemethodsoftheILogParserInputContextCOMinterface.TherearetwowaystowriteaCOMobjectthatimplementsthemethodsofthisinterface:implementingtheILogParserInputContextinterfacedirectly,orimplementingtheIDispatch(Automation)interfaceexposingthemethodsoftheILogParserInputContextinterface.
ImplementingtheILogParserInputContextInterfaceDirectlyWiththismethod,aLogParsercustominputformatCOMobjectmustimplementtheILogParserInputContextinterfacedirectly.ThismethodusuallyrequireswritingC++orVisualBasiccode.
ImplementingtheIDispatchInterfaceExposingtheILogParserInputContextInterfaceMethodsWiththismethod,aLogParsercustominputformatCOMobjectmustimplementtheIDispatchinterface,andsupportthesamemethodsexposedbytheILogParserInputContextinterface.Thismethodusuallyrequireswritingscriptlets(.wsc)filesinJScriptorVBScript.COMinputformatpluginsthatimplementtheIDispatchinterfacecanalsosupportcustomproperties.
Page 79
CustominputformatCOMobjectsmustberegisteredwiththeCOMinfrastructureinordertobeaccessiblebyLogParser.Thistaskcanbeusuallyachievedusingtheregsvr32.exetooldistributedwiththeWindowsOS.ThefollowingcommandregistersacustominputformatCOMobjectimplementedasadynamiclinklibrary(dll):
C:\>regsvr32myinputformat.dll
ThefollowingcommandregistersacustominputformatCOMobjectimplementedasascriptletJScriptorVBScriptfile:
C:\>regsvr32myinputformat.wsc
OncedevelopedandregisteredwiththeCOMinfrastructure,custominputformatscanbeusedwitheitherthecommand-lineLogParserexecutable,orwiththeLogParserscriptableCOMcomponents.
Page 80
UsingCustomInputFormatswiththeCommand-LineLogParserExecutableWiththecommand-lineLogParserexecutable,custominputformatsareusedthroughtheCOMinputformat,whichallowsuserstospecifytheProgIDofthecustomCOMobjectandeventualrun-timeproperties.
Asanexample,let'sassumethatwehavejustdevelopedacustominputformat,andthatitsProgIDis"MySample.MyInputFormat".WiththeCOMinputformat,thecustomCOMobjectcanbeusedasfollows:
C:\>logparser"SELECT*FROMinputfile"-i:COM-iProgID:MySample.MyInputFormatIntheexampleabove,"inputfile"standsforthespecificfrom-entityrecognizedbythecustominputformat.
IfweimplementedourCOMobjectthroughanAutomationinterface,wecouldalsohaveourobjectsupportcustomproperties,andsetthemthroughtheCOMinputformatasshowninthefollowingexample:
C:\>logparser"SELECT*FROMinputfile"-i:COM-iProgID:MySample.MyInputFormat-iCOMParams:ExtendedFields=onFormoreinformationontheCOMinputformat,refertotheCOMInputFormatreference.
Page 81
UsingCustomInputFormatswiththeLogParserScriptableCOMComponentsWiththeLogParserscriptableCOMcomponents,custominputformatobjectsarepassedastheinputFormatargumenttotheExecuteorExecuteBatchmethodsoftheLogQueryobject.
ThefollowingVBScriptexampleshowshowour"MySample.MyInputFormat"customCOMobjectcanbeusedwiththeLogParserscriptableCOMcomponents:
DimoLogQueryDimoMyInputFormatDimoCSVOutputFormatDimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateourcustomInputFormatobjectSetoMyInputFormat=CreateObject("MySample.MyInputFormat")
'CreateOutputFormatobjectSetoCSVOutputFormat=CreateObject("MSUtil.LogQuery.CSVOutputFormat")oCSVOutputFormat.tabs=TRUE
'CreatequerytextstrQuery="SELECTTimeGenerated,EventIDINTOC:\output.csvFROMSystem"strQuery=strQuery&"WHERESourceName='ApplicationPopup'"
'ExecutequeryoLogQuery.ExecuteBatchstrQuery,oMyInputFormat,oCSVOutputFormat
FormoreinformationontheLogParserscriptableCOMcomponents,seeLogParserCOMAPIOverview,andCOMAPIReference.
Page 82
CustomInputFormatSamplesLogParsercomeswiththreecustominputformatsamples,locatedinthe"Samples\COM"folder:
Processes:thissampleshowshowtowriteacustominputformatusingtheC++language;BooksXML:thissampleshowshowtowriteacustominputformatthatparsesXMLdocuments,usingtheC#language;QFE:thissampleshowshowtowriteacustominputformatthatreturnsinformationgatheredthroughaWMIquery,usingtheVBScriptlanguage.
FormoreinformationoncustominputformatpluginsandtheILogParserInputContextinterface,refertotheCOMInputFormatPluginsreference.
©2004MicrosoftCorporation.Allrightsreserved.
Page 83
LogParserCOMAPIOverviewTheLogParserscriptableCOMcomponentsoffernumerousadvantagesandmoreflexibilitythanthecommand-lineexecutablebinary.Forexample,withtheLogParserscriptableCOMcomponentswecanexecuteaquerywithoutprovidinganoutputformat,retrievetheresultoutputrecords,andprocesstheoutputrecordsourselves.
TheLogParserscriptableCOMcomponentsareimplementedasAutomationobjects,whichmeansthattheycanbeusedfromanyprogrammingenvironmentsupportingautomation,includingC++,C#,VisualBasic,JScriptandVBScript.
Tip:BeforeusingtheLogParserscriptableCOMcomponentsonacomputer,the"LogParser.dll"binaryshouldberegisteredwiththecomputer'sCOMinfrastructurebyexecutingthefollowingcommandinthedirectorycontainingthe"LogParser.dll"binary:C:\LogParser>regsvr32LogParser.dll
TheLogParserscriptableCOMcomponentsarchitectureismadeupofthefollowingobjects:
MSUtil.LogQueryobject:thisisthemainCOMobjectintheLogParserscriptableCOMcomponentsarchitecture;itexposesthemainAPImethodsandprovidesaccesstootherobjectsinthearchitecture.InputFormatobjects:theseobjectsprovideprogrammaticaccesstotheinputformatssupportedbyLogParser;eachinputformatobjectexposespropertieshavingthesamenameastheparametersofthecorrespondingLogParserinputformat.OutputFormatobjects:theseobjectsprovideprogrammaticaccesstotheoutputformatssupportedbyLogParser;eachoutputformatobjectexposespropertieshavingthesamenameastheparametersofthecorrespondingLogParseroutputformat.
WhenwritinganapplicationthatusestheLogParserscriptableCOMcomponents,theveryfirststepshouldbetheinstantiationoftheMSUtil.LogQueryCOMobject.ThefollowingJScriptexampleshowshowtheMSUtil.LogQueryobjectis
Page 84
instantiatedbyaJScriptapplication:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
ThefollowingVBScriptexampleshowshowtheMSUtil.LogQueryobjectisinstantiatedbyaVBScriptapplication:
DimoLogQuerySetoLogQuery=CreateObject("MSUtil.LogQuery")OncetheMSUtil.LogQueryCOMobjecthasbeeninstantiated,anapplicationwouldusuallyproceedbyexecutingaqueryineitherbatchmodeorinteractivemode,dependingonthetaskthatneedstobeaccomplished.
Page 85
BatchModeAqueryexecutedinbatchmodewillhaveitsoutputrecordswrittendirectlytoanoutputformat.BatchmodeworksinthesamewayasthecommandsusedwiththeLogParsercommand-lineexecutable,anditisusefulwhenwewanttoexecuteaqueryandhaveitsresultssenttoanoutputformat,withnoapplicationinterventiononthequeryoutputrecords.
AqueryisexecutedinbatchmodebycallingtheExecuteBatchmethodoftheMSUtil.LogQueryobject.Thismethodtakesthreearguments:
ThetextoftheSQL-Likequery;Aninputformatobject;Anoutputformatobject.
ThebasicstepsofanapplicationusingbatchmoderesemblethecommandsusedwiththeLogParsercommand-lineexecutable:
1. InstantiatetheMSUtil.LogQueryobject;2. Instantiatetheinputformatobjectcorrespondingtotheinput
formatchosenforthequery;3. Ifneeded,setinputformatobjectpropertiestochangethe
defaultbehavioroftheinputformat;4. Instantiatetheoutputformatobjectcorrespondingtothe
outputformatchosenforthequery;5. Ifneeded,setoutputformatobjectpropertiestochangethe
defaultbehavioroftheoutputformat;6. CalltheExecuteBatchmethodoftheMSUtil.LogQuery
object,specifyingthequerytext,theinputformatobject,andtheoutputformatobject.
ThefollowingexamplesshowasimpleapplicationthatcreatesaCSVfile
Page 86
containingselectedrecordsfromtheeventlog.AfterinstantiatingthemainMSUtil.LogQueryobject,theapplicationinstantiatestheMSUtil.EVTInputFormatinputformatobject,whichimplementstheEVTinputformat,andsetsitsdirectionpropertyto"BW",inordertoreadeventsfromthelatesttotheearliest.Then,theapplicationinstantiatestheMSUtil.CSVOutputFormatoutputformatobject,whichimplementstheCSVoutputformat,andsetsitstabspropertyto"ON",inordertoimprovereadabilityoftheCSVfile.Finally,theapplicationcallstheExecuteBatchmethodoftheMSUtil.LogQueryobject,specifyingthequery,theinputformatobject,andtheoutputformatobject;themethodwillexecutethequery,readingfromtheeventlogandwritingtothespecifiedCSVfile,andwillreturnwhenthequeryexecutioniscomplete.
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroEVTInputFormat=newActiveXObject("MSUtil.LogQuery.EventLogInputFormat");oEVTInputFormat.direction="BW";
//CreateOutputFormatobjectvaroCSVOutputFormat=newActiveXObject("MSUtil.LogQuery.CSVOutputFormat");oCSVOutputFormat.tabs=true;
//CreatequerytextvarstrQuery="SELECTTimeGenerated,EventIDINTOC:\\output.csvFROMSystem";strQuery+="WHERESourceName='ApplicationPopup'";
//ExecutequeryoLogQuery.ExecuteBatch(strQuery,oEVTInputFormat,oCSVOutputFormat);
VBScriptexample:
DimoLogQueryDimoEVTInputFormatDimoCSVOutputFormatDimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoEVTInputFormat=CreateObject("MSUtil.LogQuery.EventLogInputFormat")oEVTInputFormat.direction="BW"
'CreateOutputFormatobjectSetoCSVOutputFormat=CreateObject("MSUtil.LogQuery.CSVOutputFormat")oCSVOutputFormat.tabs=TRUE
Page 87
'CreatequerytextstrQuery="SELECTTimeGenerated,EventIDINTOC:\output.csvFROMSystem"strQuery=strQuery&"WHERESourceName='ApplicationPopup'"
'ExecutequeryoLogQuery.ExecuteBatchstrQuery,oEVTInputFormat,oCSVOutputFormat
Page 88
InteractiveModeQueriesexecutedininteractivemodedonotuseoutputformats,butratherreturntheiroutputrecordsdirectlytotheapplication.Interactivemodeisusefulwhenwewanttoexecuteaqueryandreceivetheoutputrecordsforcustomprocessing.
AqueryisexecutedininteractivemodebycallingtheExecutemethodoftheMSUtil.LogQueryobject.Thismethodtakestwoarguments:
ThetextoftheSQL-Likequery;Aninputformatobject.
TheExecutemethodreturnsaLogRecordSetobject.TheLogRecordSetobjectisanenumeratorofLogRecordobjects;itallowsanapplicationtonavigatethroughthequeryoutputrecords.EachLogRecordobjectrepresentsasinglequeryoutputrecord,anditexposesmethodsthatcanbeusedtoretrieveindividualfieldvaluesfromtheoutputrecord.
Thebasicstepsofanapplicationusinginteractivemodeare:
1. InstantiatetheMSUtil.LogQueryobject;2. Instantiatetheinputformatobjectcorrespondingtotheinput
formatchosenforthequery;3. Ifneeded,setinputformatobjectpropertiestochangethe
defaultbehavioroftheinputformat;4. CalltheExecutemethodoftheMSUtil.LogQueryobject,
specifyingthequerytextandtheinputformatobject,andreceivingaLogRecordSetobject;
5. EnteraloopthatusestheatEnd,getRecord,andmoveNextmethodsoftheLogRecordSetobjecttoenumeratetheLogRecordqueryresultobjects;
6. ForeachLogRecordobject,accessitsfieldvaluesusingthegetValuemethodoftheLogRecordobject,andprocessthe
Page 89
fieldvaluesasneeded;7. Whenfinished,disposeoftheLogRecordSetobjectby
callingitsclosemethod.
ThefollowingexamplesshowasimpleapplicationparsinganIISwebsite'slogsandprintingtheoutputrecordstotheconsoleoutput.AfterinstantiatingthemainMSUtil.LogQueryobject,theapplicationinstantiatestheMSUtil.IISW3CInputFormatinputformatobject,whichimplementstheIISW3Cinputformat.Then,theapplicationcallstheExecutemethodoftheMSUtil.LogQueryobject,specifyingthequeryandtheinputformatobject,andreceivingtheresultingLogRecordSetobject.TheLogRecordSetobjectisusedinalooptoenumeratetheLogRecordobjectsimplementingthequeryoutputrecords;theapplicationretrievesthefirstfieldfromeachLogRecordobjectandprintsittotheconsoleoutput.Finally,theapplicationdisposesoftheLogRecordSetobjectbycallingitsclosemethod.
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Visitallrecordswhile(!oRecordSet.atEnd())
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInputFo
©2004MicrosoftCorporation.Allrightsreserved.
Page 90
{ //Getarecord varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
rmat")
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'CloseRecordSetoRecordSet.close
Page 91
C#ExampleTheLogParserscriptableCOMcomponentscanbeeasilyconsumedby.NETapplicationsusingtheCOMinteropfeatureofthe.NETFramework.
TheCOMinteropfeatureofthe.NETframeworkallowsuserstoinstantiateanduseCOMobjectsthroughtheuseofRuntimeCallableWrappers(RCW).TheRCWisa.NETclassthatwrapsaCOMobjectandgivesa.NETapplicationthenotionthatit'sinteractingwithamanaged.NETcomponent.RCW'sarecreatedbyeitherusingtheTypeLibraryImporter(tlbimp.exe)tool,orbyimportingareferencetotheLogParserscriptableCOMobjectsthroughtheMicrosoftVisualStudio®.NETuserinterface.Ineithercase,theRCW'saregeneratedandstoredinanassemblynamed"Interop.MSUtil.dll",whichcontainsRuntimeCallableWrappersforalloftheLogParserscriptableCOMcomponents.Byreferencingthisassembly,our.NETapplicationscanusetheLogParserscriptableCOMcomponentsasiftheyweremanaged.NETcomponents.
ThefollowingexampleC#applicationexecutesaLogParserquerythatreturnsthelatest50eventsfromtheSystemeventlog,printingthequeryresultstotheconsoleoutput:
usingSystem;usingLogQuery=Interop.MSUtil.LogQueryClassClass;usingEventLogInputFormat=Interop.MSUtil.COMEventLogInputContextClassClass;usingLogRecordSet=Interop.MSUtil.ILogRecordset;
classLogParserSample{publicstaticvoidMain(string[]Args){try{//InstantiatetheLogQueryobject
Thefollowingstepsdescribehowtobuildthissampleapplication:
1. BuildaninteropassemblycontainingtheRuntimeCallableWrappersfortheLogParserscriptableCOMcomponents.Thisstepcanbyexecutedintwodifferentways:FromwithinaVisualStudio.NETproject,importareferencetotheLogParserscriptableCOMcomponents;Fromacommand-lineshell,executethetlbimp.exetool(generallyavailableinthe"Bin"folderofthe.NETframeworkSDK),specifyingthepathtotheLogParser.dllbinary:
Page 92
LogQueryoLogQuery=newLogQuery();
//InstantiatetheEventLogInputFormatobjectEventLogInputFormatoEVTInputFormat=newEventLogInputFormat();
//Setits"direction"parameterto"BW"oEVTInputFormat.direction="BW";
//Createthequerystringquery=@"SELECTTOP50SourceName,EventID,MessageFROMSystem";
//ExecutethequeryLogRecordSetoRecordSet=oLogQuery.Execute(query,oEVTInputFormat);
//Browsetherecordsetfor(;!oRecordSet.atEnd();oRecordSet.moveNext()){Console.WriteLine(oRecordSet.getRecord().toNativeString(","));}
//ClosetherecordsetoRecordSet.close();}catch(System.Runtime.InteropServices.COMExceptionexc){Console.WriteLine("Unexpectederror:"+exc.Message);}}}
C:\>tlbimpLogParser.dll/out:Interop.MSUtil.dll
Ineithercase,anassemblynamed"Interop.MSUtil.dll"iscreated.
2. Compilethesamplesourcefileintoanexecutable,referencingthenewlycreated"Interop.MSUtil.dll"assembly.Fromacommand-lineshell,thisstepcanbeexecutedasfollows:
C:\>csc/r:Interop.MSUtil.dll/out:Events.exesample.cs
©2004MicrosoftCorporation.Allrightsreserved.
Page 93
SecurityConsiderationsWhenusinginputandoutputformatstoretrieveandsenddataoverthenetwork,usersshouldbeawarethatmostoftheprotocolsutilizedfordatatransfer(e.g.SMB,HTTP,andSYSLOG)donotmakeuseofencryption,andcouldthusbevulnerabletointerceptionandtamperingbymaliciousentities.Inordertoprovideasecureenvironmentinwhichthesenetworkconnectionsarelessvulnerabletointerception,usersshouldimplementtheIPSecprotocolontheirnetworks,and/oruseSSLHTTPconnectionswhenretrievingdatafromaWebURL.WhenusingtheIncrementalParsingfeature,usersshouldstoretheircheckpointfilesinasecurelocation,andverifythatcheckpointfileshaveproperACL's(AccessControlLists)preventingmaliciousentitiesfromtamperingwiththedatathattheLogParserinputformatsstoreinthecheckpointfiles.WhenimplementingcustominputformatCOMobjects,usersshouldensurethattheobjectsarenotaccessiblefromlocalandremotelow-privilegedusers,inordertopreventmaliciousentitiesfrominstantiatingandusingthecustominputformatobjectsfromthelocalcomputerorfromaremotecomputer.Inordertodenyaccesstolow-privilegedusers,eithersetproperACL'sonthecustominputformatCOMobjects'binaries,orusethe"DCOMConfiguration"ManagementConsole(availableinthe"AdministrativeTools"folderunderthe"ComponentServices"managementconsole)toexplicitlyallowselectedusersonlylocalaccesstoyourcustominputformatCOMobjects.WhenusingtheSQLoutputformat,usersshouldbeawarethattheODBCconnectionpropertiesprovidedthroughtheSQLoutputformatparameters,whichincludeusernameandpassword,couldbetransmittedoverthenetworkincleartext.Inaddition,thedatatransmittedthroughtheODBCconnectioncouldbeunencryptedandthusvulnerabletointerceptionandtamperingbymaliciousentities.Inordertoprovideamoresecureenvironment,usersshouldcreateaDataSourceName(DSN)onthelocalcomputerspecifyingtheconnectionpropertiestousefortheconnectiontothedatabase,and
Page 94
specifythenameoftheDataSourceasavaluetothedsnparameteroftheSQLoutputformat.UsingaDataSourceNamefortheconnectionprovidesthefollowingbenefits:TheusernameandpasswordfortheconnectionarestoredsecurelybytheODBCsubsystem;
CertainODBCdrivers,includingMicrosoftSQLServerTMODBCdriversandMicrosoftAccessODBCdrivers,provideanoptionthatallowsuserstoenableencryptionofthenetworktrafficbetweentheODBCconnectionendpoints.
FormoreinformationonsecuringthecommunicationbetweentheODBCconnectionsendpoints,seetheMSDN®DataAccessSecuritytopic.Whenprocessingsensitiveorconfidentialdata,usersshouldprovideproperACL'sonthefilesgeneratedbytheoutputformatsoronthedirectoriesinwhichtheoutputformatsgeneratefiles,inordertopreventmaliciousentitiesfromaccessingand/ortamperingwiththeoutputdatageneratedbyaquery.
©2004MicrosoftCorporation.Allrightsreserved.
Page 95
FrequentlyAskedQuestions1. HowdoIspecifyyesterday’sdate?2. HowdoIretrievetheeventlogsthathavebeenloggedinthe
past10minutes?3. AfterparsingmyIISlogfiles,Igetamessagesaying"There
havebeen4parseerrors."Whatcausesthis?4. HowdoIchangethecolumnnamesinmyoutputfile?5. HowdoIcombinetheIISW3C"date"and"time"fieldsintoa
singleTIMESTAMPfield?6. HowdoIsplitasingleTIMESTAMPfieldintoadate-onlyfield
andatime-onlyfield?7. WhenIusea"SELECT*"onanIISW3CExtendedlogfile,I
getmanyfieldswithNULLvalues.Whatcausesthis?8. Igetanerrorsaying"UnknownfieldXYZ"whenIexecutemy
query.HowdoIfixthis?9. IamtryingtowriteaquerythatusestheINoperator,butLog
Parserkeepsgivingmeerrors.WhatamIdoingwrong?10. WhenIexecutea"SELECT*"onalogfile,theoutputrecords
contain2extrafieldsthatIcannotfindinthelog.Whatarethesefields?
11. IamdevelopinganASPorASP.NetorScheduledTaskapplicationwithLogParser,andI'mhavingproblemswithpermissions.WhatcanIdo?
12. CanIusetheLogParserscriptableCOMcomponentsfromamulti-threadedapplication?
HowdoIspecifyyesterday’sdate?YouneedtousetheSUBfunctiontosubtractonedayfromthecurrentUTCtimestampreturnedbytheSYSTEM_TIMESTAMPfunction.
Page 96
TheoriginforTIMESTAMPvaluesisJanuary1,year0at00:00:00.ThismeansthatatimespanofonedayisrepresentedbythetimestampforJanuary2,year0at00:00:00,i.e.24hoursaftertheoriginoftime.Usethefollowingfield-expressiontospecifyyesterday’sdate:
SUB(SYSTEM_TIMESTAMP(),TIMESTAMP('01-02','MM-dd'))
Formoreinformation,seetheTIMESTAMPReference.
HowdoIretrievetheeventlogsthathavebeenloggedinthepast10minutes?
YouneedtousetheSUBfunctiontosubtract10minutesfromthecurrentUTCtimestampreturnedbytheSYSTEM_TIMESTAMPfunction,andconvertthistimestamptolocaltimeusingtheTO_LOCALTIMEfunction:
SELECT*FROMSystemWHERETimeGenerated>=TO_LOCALTIME(SUB(SYSTEM_TIMESTAMP(),TIMESTAMP('10','mm')))AfterparsingmyIISlogfiles,Igetamessagesaying"Therehave
been4parseerrors."Whatcausesthis?Yourlogfilesaresomehowmalformed.Thismighthappen,forexample,ifaclientrequestsaURLorspecifiesausernamecontainingspaces.LogParsercannotprocessthatrowandskipsit.Toseeexactlywhat'sgoingon,setthe-eglobalswitchtoanyvaluegreaterthanorequaltozero.ThismakesLogParserstopthequeryexecutionwhenthatnumberofparseerrorsisencountered,anddumpallthemessagesoftheparseerrorsthatoccurred.Formoreinformation,seeErrors,ParseErrors,andWarnings.
HowdoIchangethecolumnnamesinmyoutputfile?UsetheASkeywordinyourSELECTclausetoaliasthefield.Forexample:
Page 97
SELECTField1ASnewFieldName,Field2ASnewFieldName2,...
HowdoIcombinetheIISW3C"date"and"time"fieldsintoasingleTIMESTAMPfield?
UsetheTO_TIMESTAMPfunction,asinthefollowingexample:
SELECTTO_TIMESTAMP(date,time),...
HowdoIsplitasingleTIMESTAMPfieldintoadate-onlyfieldandatime-onlyfield?
UsetheTO_DATEandTO_TIMEfunctions,asinthefollowingexample:
SELECTTO_DATE(myTimestamp),TO_TIME(myTimestamp),...
Formoreinformation,seetheTIMESTAMPReference.
WhenIusea"SELECT*"onanIISW3CExtendedlogfile,IgetmanyfieldswithNULLvalues.Whatcausesthis?
TheIISW3Cinputformathas32fields,whichareallthepossiblefieldsthatIIS5.0andIIS6.0canlog.IfyourWebServerisconfiguredtologonlyafewofthesefields,theIISW3CinputformatreturnstheotherfieldvaluesasNULLvalues.
Igetanerrorsaying"UnknownfieldXYZ"whenIexecutemyquery.HowdoIfixthis?
Ifyouhavenotspecifiedaninputformatforyourquery,LogParserchoosesoneautomaticallybasedonthe<from-entity>intheFROMclauseofyourquery.Insomecases,theinputformatmightnotbetheoneyouexpect.Tryspecifyingtheinputformatexplicitlyusingthe-iswitch.Ifyouhavespecifiedthecorrectinputformat,makesurethatyou
Page 98
havetypedthefieldnamecorrectly.
IamtryingtowriteaquerythatusestheINoperator,butLogParserkeepsgivingmeerrors.WhatamIdoingwrong?
Makesureyouareseparatingthevaluesontheright-sideoftheINoperatorwiththecorrectseparator.IftheINoperatoriscomparingasinglefield-expressionwithalistofvalues,separatethevalueswithasemicolon(;),notwithacomma,asfollows:
WHEREMyFieldIN('VALUE1';'VALUE2';'VALUE3')
Differentvaluesforthesamefield-expression("value-rows")areseparatedbyasemicolon;commacharactersareusedtoseparatevalueswithinasinglevalue-row.Formoreinformation,seetheINOperatorReference.
WhenIexecutea"SELECT*"onalogfile,theoutputrecordscontain2extrafieldsthatIcannotfindinthelog.Whatarethesefields?
Mostoftheinputformatsaddsometrackingfieldstotheinputrecords,suchasthenameofthefilecurrentlyparsed,andtherownumbercurrentlyparsed.Ifyoudonotwantthesefieldstoappearinyouroutputrecords,donotuse"SELECT*".Instead,specifyonlythefieldnamesthatyouwant,asinthefollowingexample:
SELECTField1,Field2,Field3,....
IamdevelopinganASPorASP.NetorScheduledTaskapplicationwithLogParser,andI'mhavingproblemswithpermissions.WhatcanIdo?
ThefirststepintroubleshootingtheseproblemsisidentifyingtheaccountunderwhichLogParserisrunning.Ifyouaredevelopingan
Page 99
ASPorASP.Netapplication,LogParserwillrunastheaccountoftheuserrequestingthepage.Iftherequestisanonymous,theaccountistheIISAnonymousaccount;iftherequestisauthenticated,theaccountistheauthenticateduser'saccount.IfyouaredevelopingaScheduledTaskapplication,theaccountistheaccountthatyouhavespecifiedforthetask.Oncetheaccounthasbeenidentified,appropriatepermissionsmustbegivenforthisaccounttoaccessboththeLogParserbinaryandtheDynamicLinkLibrariesthatLogParserdependsto,whichincludestandardWindowslibraries(e.g."kernel32.dll","user32.dll",etc.)andasignificantnumberofotherlibraries(e.g."WinInet.dll","odbcint.dll",etc.).Finally,appropriatepermissionsmustbegivenfortheaccounttoaccessthedatathatyourapplicationasksLogParsertoprocess.ThesemayincludeIISlogfiles,theEventLog,textfiles,andwhateverdatayouareprocessing.Note:ItisnotagoodsecuritypracticetochangesystemACL'sandpermissionstograntuseraccountsaccesstoprotectedsystemresources.Thisisespeciallytrueifyouaredevelopinganexternal-facingwebapplicationthatusesLogParsertodisplayinformationtotheusers.Inthesecases,considerinsteaddevelopingaScheduledTaskthatrunsundera"private"account,andthatgeneratesatfrequentintervalsthewebpagesthatyourapplicationwilldisplaytotheuser.
CanIusetheLogParserscriptableCOMcomponentsfromamulti-threadedapplication?
TheLogParserscriptableCOMcomponentsareregisteredtorunwithinasingle-threadedCOMapartment,meaningthattheobjectscanbeusedfrommultiplethreads,butcallstotheobjects'methodswillbeserializedbytheCOMinfrastructuretoguaranteethatonlyonethreadatatimecanaccessthecomponents.
©2004MicrosoftCorporation.Allrightsreserved.
Page 100
QuerySyntax<query> ::= <select_clause>[<using_clause>]
[<into_clause>]<from_clause>[<where_clause>][<group_by_clause>][<having_clause>][<order_by_clause>]
Remarks:Aquerycanincludecomments,thatis,user-providedtextnotevaluatedbyLogParser,usedtodocumentcodeortemporarilydisablepartsofquerystatements.Formoreinformation,readtheCommentsReference.
Examples:
A.MinimalqueryThefollowingexampleshowstheminimalquerythatcanbewrittenwiththeLogParserSQL-Likelanguage,makinguseoftheSELECTandFROMclausesonly:
SELECTTimeGenerated,SourceNameFROMSystemB.CompletequeryThefollowingexampleshowsacompletequerythatmakesuseofalltheclausesintheLogParserSQL-Likelanguage:
Page 101
SELECTTypeName,COUNT(*)ASTotalCountUSINGTO_UPPERCASE(EXTRACT_TOKEN(EventTypeName,0,''))ASTypeNameINTOReport.csvFROMSystemWHERETypeNameLIKE'%service%'GROUPBYTypeNameHAVINGTotalCount>5ORDERBYTotalCountDESC
Seealso:SELECTUSINGINTOFROMWHEREGROUPBYHAVINGORDERBY
Comments
©2004MicrosoftCorporation.Allrightsreserved.
Page 102
SELECT<select_clause> ::= SELECT[TOP<integer>][DISTINCT|ALL
]<selection_list>
<selection_list> ::= <selection_list_el>[,<selection_list_el>...]
<selection_list_el> ::= <field_expr>[AS<alias>]*
TheSELECTclausespecifiesthefieldsoftheoutputrecordstobereturnedbythequery.
Arguments:
TOPnSpecifiesthatonlythefirstnrecordsaretobeoutputfromthequeryresultset.IfthequeryincludesanORDERBYclause,thefirstnrecordsorderedbytheORDERBYclauseareoutput.IfthequeryhasnoORDERBYclause,theorderoftherecordsisarbitrary.Formoreinformation,seeRetrievingaFixedNumberofRecords.
ALLSpecifiesthatduplicaterecordscanappearintheresultset.ALListhedefault.
DISTINCTSpecifiesthatonlyuniquerecordscanappearintheresultset.NULLvaluesareconsideredequalforthepurposesoftheDISTINCTkeyword.Formoreinformation,seeEliminatingDuplicateValues.
Page 103
<selection_list>Thefieldstobeselectedfortheresultset.Theselectionlistisaseriesoffield-expressionsseparatedbycommas.
*Specifiesthatalltheinputrecordfieldsshouldbereturned.ThefieldsarereturnedintheorderinwhichtheyareexportedbytheInputFormat.
AS<alias>Specifiesanalternativenametoreplacethefieldnameinthequeryresultset.Bydefault,outputformatsthatdisplayfieldnamesusethetextofafield-expressionintheSELECTclauseasthenameofthecorrespondingoutputrecordfield.However,whenafield-expressionintheSELECTclausehasbeenaliased,outputformatswillusethealiasasthenameoftheoutputrecordfield.Thealiasofafield-expressioncanbealsousedanywhereelseinthequeryasashortcutthatreferstotheoriginalfield-expression.
Remarks:Whenafield-expressionisaliasedwithanaliasmatchinganinputrecordfieldname,thealiasingwillaffectthatfield-expressiononly;anyotheroccurrenceofthealiasinthequerywillresolvetotheinputrecordfieldname.Asanexample,theoutputrecordsofthefollowingqueryaremadeupoftwofieldswithanidenticalname("TimeGenerated");thefirstoutputrecordfieldwillcontainvaluesfromthealiasedfield-expression("ADD(EventID,1000)"),whilethesecondoutputrecordfieldwillcontainvaluesfromthe"TimeGenerated"inputformatfield:
SELECTADD(EventID,1000)ASTimeGenerated,TimeGeneratedFROMsystemAfield-expressionintheSELECTclausecanrefertoaliasesdefinedelsewhereintheSELECTclause,aslongasthedefinitionhappens
Page 104
before(inaleft-to-rightorder)itsuse.ThefollowingexampleisacorrectSELECTclause:
SELECTEventIDASMyAlias,ADD(MyAlias,100)
Ontheotherhand,thefollowingexampleisnotacorrectSELECTclause,sincethe"MyAlias"aliasisusedbeforebeingdefined:
SELECTADD(MyAlias,100),EventIDASMyAlias
Examples:
A.SelectingspecificfieldsThefollowingqueryselectsasubsetofallthefieldsexportedbytheEVTInputFormat:
SELECTTimeGenerated,SourceNameFROMSystemB.Selectingspecificfieldsandfield-expressionsThefollowingqueryselectsaconstantandafunctionthatusesafieldexportedbytheEVTInputFormatasargument:
SELECT'EventType:',EXTRACT_TOKEN(EventTypeName,0,'')FROMSystemC.Selectingallfieldswith*ThefollowingqueryselectsallthefieldsexportedbytheEVTInputFormat:
SELECT*FROMSystemD.UsingTOPThefollowingqueryreturnsthe10mostrequestedUrl'sinthespecifiedIISW3Clogfile:
Page 105
SELECTTOP10cs-uri-stem,COUNT(*)FROMex040305.logGROUPBYcs-uri-stemORDERBYCOUNT(*)DESCE.UsingDISTINCTThefollowingqueryusestheREGInputFormattoreturnalltheregistrykeyvaluetypesthatarefoundunderthespecifiedkey:
SELECTDISTINCTValueTypeFROM\HKLM\SYSTEM\CurrentControlSetF.Aliasingfield-expressionsThefollowingqueryreturnsabreakdownofpagerequestsperpagetypefromthespecifiedIISW3Clogfile:
SELECTTO_UPPERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,COUNT(*)ASTotalHitsFROMex040305.logGROUPBYPageTypeORDERBYTotalHitsDESCSeealso:
FieldExpressionsFieldNamesandAliasesUSING
BasicsofaQueryEliminatingDuplicateValuesRetrievingaFixedNumberofRecords
©2004MicrosoftCorporation.Allrightsreserved.
Page 106
USING<using_clause> ::= USING<field_expr>AS<alias>[,<field_expr>
AS<alias>...]
TheUSINGclausedeclaresaliasedfield-expressionsthatdonotappearintheoutputrecordsbutcanbereferencedanywhereinthequery.TheUSINGclauseisemployedtoimprovequeryreadability.
Remarks:Formoreinformationonaliasingfield-expressions,seetheSELECTClauseReference.
Examples:
A.Declaringaliasedfield-expressionsThefollowingexamplequeryreturnsthe"accountname"portionofthefully-qualifiedaccountnamethatappearsintheresolved"SID"fieldoftheEVTinputformat:
SELECTUsernameUSINGTO_LOWERCASE(RESOLVE_SID(Sid))ASFQAccount,EXTRACT_TOKEN(FQAccount,1,'\\')ASUsernameFROMSecurity
Seealso:FieldExpressionsFieldNamesandAliasesSELECT
ImprovingQueryReadability
Page 107
©2004MicrosoftCorporation.Allrightsreserved.
Page 108
INTO<into_clause> ::= INTO<into_entity>
TheINTOclauseisusedtospecifytheoutputformattarget(s)towhichthequeryoutputrecordsaretobewritten.
Remarks:Thesyntaxandinterpretationofthe<into_entity>specifiedintheINTOclausedependsontheoutputformatused.Forinformationonthesyntaxandinterpretationofthe<into_entity>valuessupportedbyeachoutputformat,refertotheOutputFormatsReference.Regardlessoftheoutputformatused,the<into_entity>specifiedintheINTOclausemustcomplywiththefollowinggeneralsyntax:The<into_entity>cannotcontainspaces,unlessitisenclosedbythe'''(singlequote)or'"(doublequotes)characters,asinthefollowingexample:
'C:\ProgramFiles\file3.txt'
Thefollowingcharactersareconsideredparenthesyscharacters,andiftheyappearinan<into_entity>,theymustappearaswell-formedpairsofopeningandclosingparenthesys:
<>()[]{}
Thefollowingexamplesshowvalidinto-entitiescontainingparenthesyscharacters:
entity<value>entity[value]valueThefollowingexamplesshowinvalidinto-entitiescontaining
Page 109
parenthesyscharacters:
entity>value<entity}valueentity(valueAnycharacter(includingillegalcharactersandnon-printable
characters)inan<into-entity>canbeenteredusingthe\uxxxxnotation,wherexxxxisthe4-digithexadecimalrepresentationoftheUNICODEcharacter,asinthefollowingexample:
C:\Program\u0020Files\file3.txt
Into-entitiesthatrepresentnamesoffilesordirectoriesarenotallowedtocontainthefollowingcharacters,evenwhenenclosedinquotecharactersorenteredusingthe\uxxxxnotation:
tabcarriage-returnline-feed,()"<>
SincetheINTOclauseisnotamandatoryclauseintheLogParserSQL-Likelanguage,mostoutputformatsemploydefault<into_entity>valuesthatareimplicitlyusedwhenaquerydoesnotincludeanINTOclause.Forexample,theNAT,CSV,andTSVoutputformatsassumeSTDOUTwhenanINTOclauseisnotspecified.Formoreinformationonthedefault<into_entity>valuesassumedbyeachoutputformat,refertotheOutputFormatsReference.TheTOclauseusedbyearlierversionsofLogParserhasbeendeprecatedinfavoroftheINTOclause.
Examples:
A.Explicit<into_entity>ThefollowingexamplequeryspecifiesanexplicittargetCSVfilefortheCSVoutputformat:
SELECT*
Page 110
INTOMyOutput.csvFROMSystemB.Implicit<into_entity>ThefollowingexamplequeryusesanimplicitSTDOUTtargetfortheNAToutputformat:
SELECT*FROMSystemC.Explicit<into_entity>ThefollowingexamplequeryspecifiesanexplicitSTDOUTtargetfortheNAToutputformat:
SELECT*INTOSTDOUTFROMSystem
Seealso:FROM
BasicsofaQueryOutputFormatsReference
©2004MicrosoftCorporation.Allrightsreserved.
Page 111
FROM<from_clause> ::= FROM<from_entity>
TheFROMclauseisusedtospecifytheinputformatsource(s)fromwhichthequeryinputrecordsaretoberead.
Remarks:Thesyntaxandinterpretationofthe<from_entity>specifiedintheFROMclausedependsontheinputformatused.Forinformationonthesyntaxandinterpretationofthe<from_entity>valuessupportedbyeachinputformat,refertotheInputFormatsReference.Regardlessoftheinputformatused,the<from_entity>specifiedintheFROMclausemustcomplywiththefollowinggeneralsyntax:The<from_entity>mustbeasingleelementoralistofelements,separatedbythe','(comma)or';'(semicolon)characters,asinthefollowingexamples:
file1.txtfile1.txt,file2.txtfile1.txt;D:\file2.txt;file3.txtEachelementcannotcontainspaces,','(comma)characters,or';'(semicolon)characters,unlesstheelementisenclosedbythe'''(singlequote)or'"(doublequotes)characters,asinthefollowingexample:
file2.txt,'C:\ProgramFiles\file3.txt',file4.txt
Thefollowingcharactersareconsideredparenthesyscharacters,andiftheyappearinanelement,theymustappearaswell-formedpairsofopeningandclosingparenthesys:
<>()[]{}
Page 112
Thefollowingexamplesshowvalidfrom-entitiescontainingparenthesyscharacters:
entity<value>entity[value]valueThefollowingexamplesshowinvalidfrom-entitiescontainingparenthesyscharacters:
entity>value<entity}valueentity(valueAnycharacter(includingillegalcharactersandnon-printable
characters)ina<from-entity>canbeenteredusingthe\uxxxxnotation,wherexxxxisthe4-digithexadecimalrepresentationoftheUNICODEcharacter,asinthefollowingexample:
C:\Program\u0020Files\file3.txt
From-entitiesthatrepresentnamesoffilesordirectoriesarenotallowedtocontainthefollowingcharacters,evenwhenenclosedinquotecharactersorenteredusingthe\uxxxxnotation:
tabcarriage-returnline-feed,()"<>
Examples:
A.<from_entity>withtheREGinputformatThefollowingexamplequeryreadsinputrecordsfromtheregistryusingtheREGinputformat:
SELECT*FROM\HKLM\SOFTWAREB.<from_entity>withtheEVTinputformatThefollowingexamplequeryreadsinputrecordsfromtheSystemandSecurityeventlogsusingtheEVTinputformat:
Page 113
SELECT*FROMSystem,Security
Seealso:INTO
BasicsofaQueryInputFormatsReference
©2004MicrosoftCorporation.Allrightsreserved.
Page 114
WHERE<where_clause> ::= WHERE<expression>
TheWHEREclauseisusedtospecifyabooleanconditionthatmustbesatisfiedbyaninputrecordforthatrecordtobeoutput.Inputrecordsthatdonotsatisfytheconditionarediscarded.
Remarks:TheexpressioninaWHEREclausecannotreferenceSQL(aggregate)functions.Tospecifyconditionsonvaluesofaggregatefunctions,usetheHAVINGclause.
Examples:
A.Simpleexpression
WHEREEventID=501
B.Complexexpression
WHEREEXTRACT_TOKEN(Strings,1,'|')LIKE'%logon&'AND(TimeGenerated>SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()),TIMESTAMP('10','mm'))ORSIDISNOTNULL)Seealso:
ExpressionsHAVING
FilteringInputRecords
Page 115
©2004MicrosoftCorporation.Allrightsreserved.
Page 116
GROUPBY<group_by_clause> ::= GROUPBY<field_expr_list>[WITH
ROLLUP]
<field_expr_list> ::= <field_expr>[,<field_expr>...]
TheGROUPBYclausespecifiesthegroupsintowhichoutputrowsaretobeplacedand,ifaggregatefunctionsareincludedintheSELECTorHAVINGclauses,calculatestheaggregatefunctionsvaluesforeachgroup.
Arguments:
WITHROLLUPSpecifiesthatinadditiontotheusualrowsprovidedbyGROUPBY,summaryrowsareintroducedintotheresultset.Groupsaresummarizedinahierarchicalorder,fromthelowestlevelinthegrouptothehighest,andthecorrespondingsummaryrowscontainNULLvaluesforthegroupsthathavebeensummarized.Thegrouphierarchyisdeterminedbytheorderinwhichthegroupingfield-expressionsarespecified.Changingtheorderofthegroupingfield-expressionscanaffectthenumberofrowsproducedintheresultset.TheROLLUPoperatorisoftenusedwiththeGROUPINGaggregatefunction.
Remarks:WhenGROUPBYisspecified,eithereachnon-aggregateandnon-constantfield-expressionintheSELECTclauseshouldbeincludedin
Page 117
theGROUPBYfield-expressionlist,ortheGROUPBYfield-expressionlistmustmatchexactlytheSELECTclausefield-expressionlist.Formoreinformation,seeAggregatingDataWithinGroups.AggregatefunctionsusingtheDISTINCTkeyword,forexample,"COUNT(DISTINCTfield-expression)",arenotsupportedwhenusingtheGROUPBYclause.IftheORDERBYclauseisnotspecified,groupsreturnedusingtheGROUPBYclausearenotinanyparticularorder.ItisrecommendedthattheORDERBYclauseisalwaysusedtospecifyaparticularorderingofthedata.
Examples:
A.SimpleGROUPBYclauseThefollowingquery,onanIISW3Clogfile,returnsthenumberofrequestsforeachpageoneachday:
SELECTdate,cs-uri-stem,COUNT(*)FROMLogFiles\ex040528.logGROUPBYdate,cs-uri-stemAsampleoutputwouldbe:
datecs-uri-stemCOUNT(ALL*)-----------------------------------------2003-11-18/Default.htm12003-11-18/style.css12003-11-18/images/address.gif12003-11-18/cgi-bin/counts.exe12003-11-18/data/rulesinfo.nsf22003-11-19/data/rulesinfo.nsf62003-11-20/data/rulesinfo.nsf52003-11-20/maindefault.htm12003-11-20/top2.htm12003-11-20/homelog.swf1
B.UsingWITHROLLUPThefollowingexamplequeryisthesameasinthepreviousexample,usingtheWITHROLLUPargumenttodisplayadditionalsummaryrows:
SELECTdate,cs-uri-stem,COUNT(*)FROMLogFiles\ex040528.logGROUPBYdate,cs-uri-stemWITHROLLUPAsampleoutputwouldbe:
datecs-uri-stemCOUNT(ALL*)-----------------------------------------
Page 118
2003-11-18/Default.htm12003-11-18/style.css12003-11-18/images/address.gif12003-11-18/cgi-bin/counts.exe12003-11-18/data/rulesinfo.nsf22003-11-19/data/rulesinfo.nsf62003-11-20/data/rulesinfo.nsf52003-11-20/maindefault.htm12003-11-20/top2.htm12003-11-20/homelog.swf1--202003-11-18-62003-11-19-62003-11-20-8
Thegroupsummariesthathavebeenintroducedbytherollupoperatorare:
2003-11-18-62003-11-19-62003-11-20-8--20Whichrepresentthenumberofrequestsoneachday,regardlessofthepagerequested,andthetotalnumberofrequestsinthelogfile,regardlessoftheday.
Seealso:FieldExpressionsSELECT
AggregatingDataWithinGroups
©2004MicrosoftCorporation.Allrightsreserved.
Page 119
HAVING<having_clause> ::= HAVING<expression>
TheHAVINGclauseisusedtospecifyabooleanconditionthatmustbesatisfiedbyagroupforthegrouprecordtobeoutput.Groupsthatdonotsatisfytheconditionarediscarded.
Examples:
A.Simpleexpression
HAVINGEventID=501
B.Complexexpression
HAVINGSUM(sc-bytes)>100000AND(COUNT(*)>1000OREXTRACT_EXTENSION(cs-uri-stem)LIKE'htm')C.ComplexexpressionThefollowingexamplequeryretrievesalltheeventsourcesfromtheSystemeventlogthatgeneratedmorethan10events:
SELECTSourceNameFROMSystemGROUPBYSourceNameHAVINGCOUNT(*)>10
Seealso:ExpressionsWHERE
FilteringGroups
Page 120
©2004MicrosoftCorporation.Allrightsreserved.
Page 121
ORDERBY<order_by_clause> ::= ORDERBY<field_expr_list>[ASC|DESC]
<field_expr_list> ::= <field_expr>[,<field_expr>...]
TheORDERBYclausespecifieswhichSELECTclausefield-expressionsthequeryoutputrecordsshouldbesortedby.
Arguments:
ASCSpecifiesthatthefield-expressionlistvaluesshouldbesortedinascendingorder,fromlowestvaluetohighestvalue.ASCisthedefault.
DESCSpecifiesthatthefield-expressionlistvaluesshouldbesortedindescendingorder,fromhighestvaluetolowestvalue.
Remarks:TheLogParserSQL-Likelanguagerequiresthateachfield-expressionappearingintheORDERBYclausemustalsoappearintheSELECTclause.DifferentlythanthestandardSQLlanguage,intheLogParserSQL-LikelanguagetheDESCorASCsortdirectionappliestoallthefield-expressionsintheORDERBYclause.Inotherwords,itisnotpossibletospecifydifferentsortdirectionsfordifferentfield-expressions.NULLvaluesaretreatedasthelowestpossiblevalues.
Page 122
Examples:
A.Sortingbyasinglefield-expression
SELECTdate,cs-uri-stem,cs-uri-query,sc-bytesFROMLogFiles\ex040528.logORDERBYsc-bytesDESCB.Sortingbymultiplefield-expressions
SELECTdate,cs-uri-stem,cs-uri-query,sc-bytesFROMLogFiles\ex040528.logORDERBYdate,sc-bytes
Seealso:FieldExpressionsSELECT
SortingOutputRecords
©2004MicrosoftCorporation.Allrightsreserved.
Page 123
Expressions<expression> ::= <term1>[OR<expression>]
<term1> ::= <term2>[AND<term1>]
<term2> ::= <field_expr><rel_op><field_expr><field_expr>[NOT]LIKE<like_mask><field_expr>[NOT]BETWEEN<field_expr>AND<field_expr><field_expr>IS[NOT]NULL<field_expr>[NOT]IN(<value_rows>)<field_expr><rel_op>[ALL|ANY](<value_rows>)(<field_expr_list>)[NOT]IN(<value_rows>)(<field_expr_list>)<rel_op>[ALL|ANY](<value_rows>)NOT<term2>(<expression>)
<field_expr_list> ::= <field_expr>[,<field_expr>...]
<rel_op> ::= <><>=<=>=
<value_rows> ::= <value_row>[;<value_row>...]
Page 124
<value_row> ::= <value>[,<value>...]
AnexpressionisusedintheWHEREandHAVINGclausestospecifyconditionsthatmustbesatisfiedforinputrecordsorgrouprecordstobeoutput.
Operators:
<rel_op>Standardcomparisonoperators(lessthan,greatherthan,etc.).
[NOT]LIKEIndicatesthatthesubsequentcharacterstringistobeusedwithpatternmatching.Formoreinformation,seeLIKE.
[NOT]BETWEENSpecifiesaninclusiverangeofvalues.UseANDtoseparatethebeginningandendingvalues.Formoreinformation,seeBETWEEN.
IS[NOT]NULLTheISNULLandISNOTNULLoperatorsdeterminewhetherornotagivenfield-expressionisNULL.
[NOT]INTheINandNOTINoperatorsdeterminewhetherornotagivenfield-expressionorlistoffield-expressionsmatchesanyelementinalistofvalues.Formoreinformation,seeIN.
ALLUsedwithacomparisonoperatorandalistofvalues.ReturnsTRUEifallvaluesinthelistsatisfythecomparisonoperation,orFALSEif
Page 125
notallvaluessatisfythecomparison.IfnoALLnorANYisspecified,thenANYisassumedbydefault.Formoreinformation,seeALL.
ANYUsedwithacomparisonoperatorandalistofvalues.ReturnsTRUEifanyvalueinthelistsatisfiesthecomparisonoperation,orFALSEifnovaluessatisfythecomparison.IfnoALLnorANYisspecified,thenANYisassumedbydefault.Formoreinformation,seeANY.
Remarks:TheexpressioninaWHEREclausecannotreferenceSQL(aggregate)functions.Tospecifyconditionsonvaluesofaggregatefunctions,usetheHAVINGclause.Thereisnolimittothenumberofoperatorsthatcanbeincludedinanexpression.TheorderofprecedenceforthelogicaloperatorsisNOT(highest),followedbyAND,followedbyOR.Theorderofevaluationatthesameprecedencelevelisfromlefttoright.Parenthesescanbeusedtooverridethisorderinanexpression.
Examples:
A.Simpleexpression
sc-bytes>=1000
B.Complexexpression
EXTRACT_TOKEN(Strings,1,'|')LIKE'%logon&'AND(TimeGenerated>SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()),TIMESTAMP('10','mm'))ORSIDISNOTNULL
Page 126
)Seealso:ALLANYBETWEENINLIKE
ConstantValuesFieldExpressionsHAVINGWHERE
©2004MicrosoftCorporation.Allrightsreserved.
Page 127
ALL<field_expr><rel_op>ALL(<value_rows>)
(<field_expr_list>)<rel_op>ALL(<value_rows>)
TheALLoperatorcomparesagivenfield-expressionwithalistofvalues,returningTRUEifallvaluesinthelistsatisfythecomparisonoperation,orFALSEifnotallvaluessatisfythecomparison.
Examples
A.Singlefield-expressionThefollowingexampleexpressiondetermineswhetherornotthe"Year"fieldisgreaterthanallthevaluesinthespecifiedlist:
Year>ALL(1999;2000;2001)
B.Listoffield-expressionsThefollowingexampleexpressiondetermineswhetherornotthepairof"Year"and"Age"fieldsislessthanallthepairsofvaluesinthespecifiedlist:
(Year,Age)<ALL(1999,30;2001,40;2002,10)
Seealso:ANYExpressionsField-Expressions
Page 128
©2004MicrosoftCorporation.Allrightsreserved.
Page 129
ANY<field_expr><rel_op>ANY(<value_rows>)
(<field_expr_list>)<rel_op>ANY(<value_rows>)
TheANYoperatorcomparesagivenfield-expressionwithalistofvalues,returningTRUEifanyvalueinthelistsatisfiesthecomparisonoperation,orFALSEifnovaluessatisfythecomparison.
Examples
A.Singlefield-expressionThefollowingexampleexpressiondetermineswhetherornotthe"Year"fieldisgreaterthananyvalueinthespecifiedlist:
Year>ANY(1999;2000;2001)
B.Listoffield-expressionsThefollowingexampleexpressiondetermineswhetherornotthepairof"Year"and"Age"fieldsislessthananyofthepairsofvaluesinthespecifiedlist:
(Year,Age)<ANY(1999,30;2001,40;2002,10)
Seealso:ALLExpressionsField-Expressions
Page 130
©2004MicrosoftCorporation.Allrightsreserved.
Page 131
BETWEEN<field_expr>[NOT]BETWEEN<field_expr>AND<field_expr>
TheBETWEENoperatordeterminesifagivenfield-expressionbelongstoaspecifiedinterval.
Examples
A.BETWEENThefollowingexampleexpressiondeterminesifthe"Year"fieldbelongstothespecifiedinterval:
YearBETWEEN1999AND2004
Thisexampleisequivalenttothefollowingexpression:
Year>=1999ANDYear<=2004
B.NOTBETWEENThefollowingexampleexpressiondeterminesifthe"Year"fielddoesnotbelongtothespecifiedinterval:
YearNOTBETWEEN1999AND2004
Thisexampleisequivalenttothefollowingexpression:
Year<1999ORYear>2004
C.TIMESTAMPintervalThefollowingexamplequeryusestheFSInputFormattoreturnallthefilesthathavebeencreatedbetween4hoursagoand1hourago:
Page 132
SELECTPathFROMC:\MyDir\*.*WHERETO_UTCTIME(CreationTime)BETWEENSUB(SYSTEM_TIMESTAMP(),TIMESTAMP('4','h'))ANDSUB(SYSTEM_TIMESTAMP(),TIMESTAMP('1','h'))Seealso:
ExpressionsField-Expressions
©2004MicrosoftCorporation.Allrightsreserved.
Page 133
IN<field_expr>[NOT]IN(<value_rows>)
(<field_expr_list>)[NOT]IN(<value_rows>)
TheINandNOTINoperatorsdeterminewhetherornotagivenfield-expressionorlistoffield-expressionsmatchesanyelementinalistofvalues.
Remarks:Usethecommacharacter(,)toseparatevaluesinasinglelistrow,andusethesemicoloncharacter(;)toseparatelistrows.
Examples
A.Singlefield-expressionThefollowingexampleexpressiondeterminesifthe"Age"fieldmatchesanyvalueinthespecifiedlist:
AgeIN(20;30;45;60)
Thisexampleisequivalenttothefollowingexpression:
Age=20ORAge=30ORAge=45ORAge=60
B.Listoffield-expressionsThefollowingexampleexpressiondeterminesifthepairof"FirstName"and"State"fieldsmatchesanypairofvaluesinthespecifiedlist:
Page 134
(FirstName,State)IN('Johnson','OR';'Smith','WA')
Thisexampleisequivalenttothefollowingexpression:
(FirstName='Johnson'ANDState='OR')OR(FirstName='Smith'ANDState='WA')
Seealso:ExpressionsField-Expressions
©2004MicrosoftCorporation.Allrightsreserved.
Page 135
LIKE<field_expr>[NOT]LIKE<like_mask>
Determineswhetherornotagivencharacterstringmatchesaspecifiedpattern.Apatterncanincluderegularcharactersandwildcardcharacters.Duringpatternmatching,regularcharactersmustyieldacase-insensitivematchwiththecharactersspecifiedinthecharacterstring.Wildcardcharacters,however,canbematchedwitharbitraryfragmentsofthecharacterstring.UsingwildcardcharactersmakestheLIKEoperatormoreflexiblethanusingthe=and!=stringcomparisonoperators.
ThewildcardcharactersthatcanbeusedinaLIKEpatternare:
_(underscorecharacter):matchesanysinglecharacterExamples:
LIKE'ab_d':matchesallthefour-letterstringsthatstartwith"ab"andendwith"d"(e.g."abcd","AB+d")LIKE'a_c_':matchesallthefour-letterstringsthathave"a"inthefirstpositionand"c"inthethirdposition(e.g."abcd","Akck")
%(percentcharacter):matchesanystringofzeroormorecharactersExamples:
LIKE'%.asp'matchesallthestringsendingwith".asp"(e.g."/default.asp",".ASP")LIKE'%error%'matchesallthestringscontaining"error"(e.g."anerrorhasbeenfound","ERROR")
Remarks:SimilarlytoSTRINGconstants,charactersinaLIKEpatterncanbeescapedwiththe'\'(backslash)characterorencodedwiththe\uxxxxnotation.Wildcardpatternmatchingcharacterscanbeusedasliteralcharacters.Touseawildcardcharacterasaliteralcharacter,escapethewildcardcharacterwiththe'\'(backslash)character.
Page 136
Examples:LIKE'ab\_d':matchesthe"ab_d"string(e.g."ab_d","AB_d")LIKE'a\%c%':matchesallthestringsthatstartwith"a%c"(e.g."a%cdefg","A%c")
WhenexecutingaLogParserqueryfromwithinacommand-linebatchfile,usingthe%wildcardcharactermightyeldunexpectedresults.Forexample,considerthefollowingbatchfile:
@echooffLogParser"SELECT*FROMSYSTEMWHEREMessageLIKE'%ERROR%'"Whenthisbatchfileisexecuted,thecommand-lineshellinterpreterwillassumethat"%ERROR%"isareferencetoanenvironmentvariable,anditwilltrytoreplacethisstringwiththevalueoftheenvironmentvariable.Inmostcases,suchanenvironmentvariablewillnotexist,andtheactualcommandexecutedbytheshellwilllooklike:
LogParser"SELECT*FROMSYSTEMWHEREMessageLIKE''"
Whichwouldyeldthefollowingerror:
Error:SyntaxError:<term2>:novalidLIKEmask
Toavoidthisproblem,usedouble%%wildcardcharacterswhenwritingacommand-linebatchfile,asinthefollowingexample:
@echooffLogParser"SELECT*FROMSYSTEMWHEREMessageLIKE'%%ERROR%%'"
Examples
A.LIKEThefollowingexampleWHEREclausefindsalltheURL'sinanIISW3Clogfilethatendwith".htm":
WHEREcs-uri-stemLIKE'%.htm'
Page 137
B.NOTLIKEThefollowingexampleWHEREclausefindsalltheEventLogmessagesthatdonotcontain"error":
WHEREMessageNOTLIKE'%error%'
Seealso:ExpressionsField-Expressions
©2004MicrosoftCorporation.Allrightsreserved.
Page 138
Field-Expressions<field_expr> ::= <aggregate_function><function>
<field_name><alias><value>
Field-expressionsareacombinationofsymbolsandfunctionsthatLogParserevaluatestoobtainasingledatavalue.ThesearethebasicargumentsoftheSELECT,USING,WHERE,GROUPBY,HAVING,andORDERBYclauses.
Field-expressionscanbedividedconceptuallyintotwogroups:
Derivedfield-expressions:functionsoraggregatefunctionshavingotherfield-expressionsasarguments;Basicfield-expressions:constantvalues(includingfunctionswithnoarguments),namesofinputrecordfields,oraliasesdefinedintheSELECTorUSINGclauses.
Examples:
A.Basicfield-expressionsTheSELECTclauseinthefollowingexamplequeryspecifies"basic"field-expressionsonly:
SELECT'EventID:',EventID,SYSTEM_TIMESTAMP()FROMSystemB.Derivedfield-expressionsTheSELECTclauseinthefollowingexamplequeryspecifies"derived"field-expressionsonly:
Page 139
SELECTTO_UPPERCASE(cs-uri-stem),SUM(sc-bytes)FROM\MyLogs\ex042805.logGROUPBYTO_UPPERCASE(cs-uri-stem)
Seealso:AggregateFunctionsFunctionsConstantValuesFieldNamesandAliasesSELECTUSING
BasicsofaQuery
©2004MicrosoftCorporation.Allrightsreserved.
Page 140
FieldNamesandAliases<field_name> ::= [[]<string>[]]
<alias> ::= [[]<string>[]]
Fieldnamesarenamesoffieldsoftheinputrecordsgeneratedbyaninputformat.
Aliasesarealternativenamesforfield-expressions,assignedintheSELECTorUSINGclauses.Whenafield-expressionintheSELECTclausehasbeenaliased,outputformatswillusethealiasasthenameofthecorrespondingoutputrecordfield.Thealiasofafield-expressioncanbealsousedanywhereelseinthequeryasashortcutthatreferstotheoriginalfield-expression.
Remarks:Thefollowingcharactersarenotallowedinfieldnamesoraliases,unlessthefieldnameoraliasisenclosedinsquarebrackets([and]):
,;<>=!'"@*[]space
Fieldnamesandaliasescontainingspacesorillegalcharacterscanbeenclosedinsquarebrackets([and]),asinthefollowingexample:
SELECT[LastRequestTime],[email@address],CPUTimeas[ElapsedCPUTime]FROMperflog.csvWHERE[ElapsedCPUTime]>0Anycharacter(includingillegalcharactersandnon-printablecharacters)infieldnamesandaliasescanbealsoenteredusingthe\uxxxxnotation,wherexxxxisthe4-digithexadecimalrepresentationoftheUNICODEcharacter:
SELECTLast\u0020Request\u0020TimeFROMperflog.csv
Page 141
FieldnamesandaliasescannotmatchkeywordsorfunctionnamesoftheLogParserSQL-Likelanguage(e.g."FROM","ADD").Fieldnamesandaliasesarenotcase-sensitive.
Examples:
A.Basicfield-expressionsTheSELECTclauseinthefollowingexamplequeryspecifies"basic"field-expressionsonly:
SELECT'EventID:',EventID,SYSTEM_TIMESTAMP()FROMSystemB.Derivedfield-expressionsTheSELECTclauseinthefollowingexamplequeryspecifies"derived"field-expressionsonly:
SELECTTO_UPPERCASE(cs-uri-stem),SUM(sc-bytes)FROM\MyLogs\ex042805.logGROUPBYTO_UPPERCASE(cs-uri-stem)
Seealso:SELECTUSING
BasicsofaQuery
©2004MicrosoftCorporation.Allrightsreserved.
Page 142
AggregateFunctions<aggregate_function> ::= COUNT([DISTINCT|ALL]*)COUNT
([DISTINCT|ALL]<field_expr_list>)SUM([DISTINCT|ALL]<field_expr>)AVG([DISTINCT|ALL]<field_expr>)MAX([DISTINCT|ALL]<field_expr>)MIN([DISTINCT|ALL]<field_expr>)PROPCOUNT(*)[ON(<on_field_expr_list>)]PROPCOUNT(<field_expr_list>)[ON(<on_field_expr_list>)]PROPSUM(<field_expr>)[ON(<on_field_expr_list>)]GROUPING(<field_expr>)
Aggregatefunctionsperformacalculationonasetofvaluesbutreturnasingle,summarizingvalue.
AggregatefunctionsareoftenusedwiththeGROUPBYclause.WhenusedwithoutaGROUPBYclause,aggregatefunctionsperformcalculationsontheentiresetofinputrecords,returningasinglesummarizingvalueforthewholeset.WhenusedwithaGROUPBYclause,aggregatefunctionsperformcalculationsoneachsetofgrouprecords,returningasummarizingvalueforeachgroup.
Functions:
COUNT
Page 143
Returnsthenumberofitemsinagroup.Formoreinformation,seeCOUNT.
SUMReturnsthesumofthevaluesofthespecifiedfield-expression.Formoreinformation,seeSUM.
AVGReturnstheaverageacrossthevaluesofthespecifiedfield-expression.Formoreinformation,seeAVG.
MAXReturnsthemaximumvalueamongthevaluesofthespecifiedfield-expression.Formoreinformation,seeMAX.
MINReturnstheminimumvalueamongthevaluesofthespecifiedfield-expression.Formoreinformation,seeMIN.
PROPCOUNTReturnstheratiooftheCOUNTaggregatefunctioncalculatedonagrouptotheCOUNTaggregatefunctioncalculatedonahierarchicallyhighergroup.Formoreinformation,seePROPCOUNT.
PROPSUMReturnstheratiooftheSUMaggregatefunctioncalculatedonagrouptotheSUMaggregatefunctioncalculatedonahierarchicallyhighergroup.Formoreinformation,seePROPSUM.
GROUPING
Page 144
Returnsavalueof1whentherowisaddedbytheROLLUPoperatoroftheGROUPBYclause,or0whentherowisnottheresultofROLLUP.TheGROUPINGaggregatefunctionisallowedonlywhentheGROUPBYclausecontainstheROLLUPoperator.Formoreinformation,seeGROUPING.
Remarks:Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
DISTINCTisallowedinaggregatefunctionsonlywhenthereisnoGROUPBYclause.
Examples:
A.COUNT(*)ThefollowingqueryreturnsthetotalnumberofeventsintheSystemeventlog:
SELECTCOUNT(*)FROMSystemB.COUNT(DISTINCT)ThefollowingqueryreturnsthetotalnumberofdistincteventsourcenamesintheSystemeventlog:
Page 145
SELECTCOUNT(DISTINCTSourceName)FROMSystemC.COUNT(*)andGROUPBYThefollowingqueryreturnsthetotalnumberofeventsgeneratedbyeacheventsourceintheSystemeventlog:
SELECTSourceName,COUNT(*)FROMSystemGROUPBYSourceNameD.SUMandGROUPBYThefollowingqueryreturnsthetotalnumberofbytessentforeachpageextensionloggedinthespecifiedIISW3Clogfile:
SELECTTO_LOWERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,SUM(sc-bytes)FROMex031118.logGROUPBYPageType
E.PROPCOUNT(*),GROUPBY,andHAVINGThefollowingqueryreturnsthepagesthatrepresentmorethan10%oftherequestsinthespecifiedIISW3Clogfile:
SELECTcs-uri-stemFROMex031118.logGROUPBYcs-uri-stemHAVINGPROPCOUNT(*)>0.1
Seealso:COUNTSUMAVGMAXMINPROPCOUNTPROPSUMGROUPING
FunctionsSELECTHAVING
Page 146
GROUP_BY
AggregatingDataWithinGroupsCalculatingPercentages
©2004MicrosoftCorporation.Allrightsreserved.
Page 147
AVGAVG([DISTINCT|ALL]<field_expr>)
Returnstheaverageamongallthevalues,oronlytheDISTINCTvalues,ofthespecifiedfield-expression.
Arguments:
DISTINCTSpecifiesthatAVGreturnstheaverageofuniquevalues.DISTINCTcanonlybeusedwhenthequerydoesnotmakeuseoftheGROUPBYclause.
ALLAppliestheaggregatefunctiontoallvalues.ALListhedefault.
<field_expr>Thefield-expressionwhosevaluesaretobeaveraged.Thefield-expressiondatatypemustbeINTEGERorREAL.
ReturnType:
INTEGERorREAL,dependingontheargumentfield-expression.
Remarks:NULLvaluesareignoredbytheAVGaggregatefunction.Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.
Page 148
Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
DISTINCTisallowedinaggregatefunctionsonlywhenthereisnoGROUPBYclause.
Examples:
A.AVGThefollowingqueryreturnstheaveragenumberofbytesforexecutablefilesinthe"system32"directory,usingtheFSinputformat:
SELECTAVG(Size)FROMC:\windows\system32\*.*WHERETO_LOWERCASE(EXTRACT_EXTENSION(Name))='exe'B.AVGandGROUPBYThefollowingqueryreturnstheaveragetimespentbyeachpageextensionloggedinthespecifiedIISW3Clogfile:
SELECTTO_LOWERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,AVG(time-taken)FROMex031118.logGROUPBYPageTypeSeealso:
COUNTSUMMAXMINPROPCOUNTPROPSUM
Page 149
GROUPING
AggregateFunctions
AggregatingDataWithinGroups
©2004MicrosoftCorporation.Allrightsreserved.
Page 150
COUNTCOUNT([DISTINCT|ALL]*)COUNT([DISTINCT|ALL]<field_expr_list>)
<field_expr_list> ::= <field_expr>[,<field_expr>...]
Returnsthenumberofitemsinagroup.
Arguments:
DISTINCTSpecifiesthatCOUNTreturnsthenumberofuniquevalues.DISTINCTcanonlybeusedwhenthequerydoesnotmakeuseoftheGROUPBYclause.
ALLAppliestheaggregatefunctiontoallvalues.ALListhedefault.
*Specifiesthatallrecordsshouldbecountedtoreturnthetotalnumberofrecords,includingrecordsthatcontainNULLvalues.
<field_expr_list>Specifiesthatonlyrecordsforwhichatleastoneofthespecifiedfield-expressionsisnon-NULLshouldbecounted.
ReturnType:
Page 151
INTEGER
Remarks:Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
DISTINCTisallowedinaggregatefunctionsonlywhenthereisnoGROUPBYclause.
Examples:
A.COUNT(*)ThefollowingqueryreturnsthetotalnumberofeventsintheSystemeventlog:
SELECTCOUNT(*)FROMSystemB.COUNT(DISTINCT)ThefollowingqueryreturnsthetotalnumberofdistincteventsourcenamesintheSystemeventlog:
SELECTCOUNT(DISTINCTSourceName)FROMSystemC.COUNT(*)andGROUPBYThefollowingqueryreturnsthetotalnumberofeventsgeneratedby
Page 152
eacheventsourceintheSystemeventlog:
SELECTSourceName,COUNT(*)FROMSystemGROUPBYSourceNameD.COUNT(field-expression)Thefollowingqueryreturnsthetotalnumberofnon-nullvaluesforthe"cs-username"fieldinthespecifiedIISW3Clogfile:
SELECTCOUNT(cs-username)FROMex040528.logE.COUNT(*)andWHEREThefollowingqueryreturnsthetotalnumberofrequeststoapageloggedinthespecifiedIISW3Clogfile:
SELECTCOUNT(*)FROMex040528.logWHEREcs-uri-stem='/home.asp'F.COUNT(*),GROUPBY,andHAVINGThefollowingqueryreturnsthepagesinthespecifiedIISW3Clogfilethathavebeenrequestedmorethan50times:
SELECTcs-uri-stemFROMex040528.logGROUPBYcs-uri-stemHAVINGCOUNT(*)>50
Seealso:SUMAVGMAXMINPROPCOUNTPROPSUMGROUPING
AggregateFunctions
AggregatingDataWithinGroups
Page 153
©2004MicrosoftCorporation.Allrightsreserved.
Page 154
GROUPINGGROUPING(<field_expr>)
Returnsavalueof1whentherowisaddedbytheROLLUPoperatoroftheGROUPBYclause,or0whentherowisnottheresultofROLLUP.GROUPINGisusedtodistinguishtheNULLvaluesreturnedbyROLLUPfromstandardNULLvalues.TheNULLreturnedastheresultofaROLLUPoperationisaspecialuseofNULL.Itactsasavalueplaceholderintheresultsetandmeans"all".
Arguments:
<field_expr>TheGROUPBYfield-expressioncheckedfornullvalues.
ReturnType:
INTEGER
Remarks:TheGROUPINGaggregatefunctionisallowedonlywhentheGROUPBYclausecontainstheROLLUPoperator.Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:
Page 155
SEQUENCEOUT_ROW_NUMBER
Examples:
A.GROUPINGThefollowingquery,onanIISW3Clogfile,returnsthenumberofrequestsforeachpageoneachday,andusestheROLLUPoperatortoalsodisplaysummaryrowsshowingthenumberofrequestsforeachday,andthetotalnumberofrequests:
SELECTdate,cs-uri-stem,COUNT(*),GROUPING(date)ASGDate,GROUPING(cs-uri-stem)ASGPageFROMex040528.logGROUPBYdate,cs-uri-stemWITHROLLUPAsampleoutputwouldbe:
datecs-uri-stemCOUNT(ALL*)GDateGPage---------------------------------------------------2003-11-18/Default.htm1002003-11-18/style.css1002003-11-18/images/address.gif1002003-11-18/cgi-bin/counts.exe1002003-11-18/data/rulesinfo.nsf2002003-11-19/data/rulesinfo.nsf6002003-11-20/data/rulesinfo.nsf5002003-11-20/maindefault.htm1002003-11-20/top2.htm1002003-11-20/homelog.swf100--20112003-11-18-6012003-11-19-6012003-11-20-801
Thevaluesofthe"GDate"fieldare1onlyfortherowsinwhichthe"date"fieldisNULLduetotheintroductionoftheROLLUPsummaryrows.Similarly,thevaluesofthe"GPage"fieldare1onlyfortherowsinwhichthe"cs-uri-stem"fieldisNULLduetotheintroductionoftheROLLUPsummaryrows.
Seealso:COUNTSUMAVGMAXMINPROPCOUNTPROPSUM
Page 156
GROUPBYAggregateFunctions
AggregatingDataWithinGroups
©2004MicrosoftCorporation.Allrightsreserved.
Page 157
MAXMAX([DISTINCT|ALL]<field_expr>)
Returnsthemaximumvalueamongallthevaluesofthespecifiedfield-expression.
Arguments:
DISTINCTSpecifiesthatMAXreturnsthemaximumvalueofuniquevalues.DISTINCTisnotmeaningfulwithMAXandisavailableforSQL-92compatibilityonly.DISTINCTcanonlybeusedwhenthequerydoesnotmakeuseoftheGROUPBYclause.
ALLAppliestheaggregatefunctiontoallvalues.ALListhedefault.
<field_expr>Thefield-expressionamongwhosevaluesthemaximumistobefound.Thefield-expressioncanbeofanydatatype.
ReturnType:
Thereturnedtypeisthesameastheargumentfield-expression.
Remarks:
Page 158
NULLvaluesareignoredbytheMAXaggregatefunction.Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
DISTINCTisallowedinaggregatefunctionsonlywhenthereisnoGROUPBYclause.
Examples:
A.MAXThefollowingqueryreturnsthesizeofthelargestexecutablefileinthe"system32"directory,usingtheFSinputformat:
SELECTMAX(Size)FROMC:\windows\system32\*.*WHERETO_LOWERCASE(EXTRACT_EXTENSION(Name))='exe'B.MAXandGROUPBYThefollowingqueryreturnsthelongesttimespentbyeachpageextensionloggedinthespecifiedIISW3Clogfile:
SELECTTO_LOWERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,MAX(time-taken)FROMex031118.logGROUPBYPageTypeSeealso:
COUNTSUMAVG
Page 159
MINPROPCOUNTPROPSUMGROUPING
AggregateFunctions
AggregatingDataWithinGroups
©2004MicrosoftCorporation.Allrightsreserved.
Page 160
MINMIN([DISTINCT|ALL]<field_expr>)
Returnstheminimumvalueamongallthevaluesofthespecifiedfield-expression.
Arguments:
DISTINCTSpecifiesthatMINreturnstheminimumvalueofuniquevalues.DISTINCTisnotmeaningfulwithMINandisavailableforSQL-92compatibilityonly.DISTINCTcanonlybeusedwhenthequerydoesnotmakeuseoftheGROUPBYclause.
ALLAppliestheaggregatefunctiontoallvalues.ALListhedefault.
<field_expr>Thefield-expressionamongwhosevaluestheminimumistobefound.Thefield-expressioncanbeofanydatatype.
ReturnType:
Thereturnedtypeisthesameastheargumentfield-expression.
Remarks:
Page 161
NULLvaluesareignoredbytheMINaggregatefunction.Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
DISTINCTisallowedinaggregatefunctionsonlywhenthereisnoGROUPBYclause.
Examples:
A.MINThefollowingqueryreturnsthesizeofthesmallestexecutablefileinthe"system32"directory,usingtheFSinputformat:
SELECTMIN(Size)FROMC:\windows\system32\*.*WHERETO_LOWERCASE(EXTRACT_EXTENSION(Name))='exe'B.MINandGROUPBYThefollowingqueryreturnstheshortestandthelongesttimespentbyeachpageextensionloggedinthespecifiedIISW3Clogfile:
SELECTTO_LOWERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,MIN(time-taken),MAX(time-taken)FROMex031118.logGROUPBYPageType
Seealso:COUNTSUMAVG
Page 162
MAXPROPCOUNTPROPSUMGROUPING
AggregateFunctions
AggregatingDataWithinGroups
©2004MicrosoftCorporation.Allrightsreserved.
Page 163
PROPCOUNTPROPCOUNT(*)[ON(<on_field_expr_list>)]PROPCOUNT(<field_expr_list>)[ON(<on_field_expr_list>)]
<field_expr_list> ::= <field_expr>[,<field_expr>...]
<on_field_expr_list> ::= <field_expr>[,<field_expr>...]
ReturnstheratiooftheCOUNTaggregatefunctioncalculatedonagrouptotheCOUNTaggregatefunctioncalculatedonahierarchicallyhighergroup.
Arguments:
*Specifiesthatallrecordsshouldbecountedtoreturnthetotalnumberofrecords,includingrecordsthatcontainNULLvalues.
<field_expr_list>Specifiesthatonlyrecordsforwhichatleastoneofthespecifiedfield-expressionsisnon-NULLshouldbecounted.
<on_field_expr_list>ListofGROUPBYfield-expressionsidentifyingthehierarchicallyhighergrouponwhichthedenominatorCOUNTaggregatefunctionistobecalculated.Thislistoffield-expressionsmustbeaproperprefixoftheGROUPBYfield-expressions,thatis,itmustcontain,inthesameorder,asubsetofthefield-expressionsspecifiedintheGROUPBYclause,startingwiththeleftmostGROUPBYfield-expression.
Page 164
Whenthislistoffield-expressionsisnotspecified,thedenominatorCOUNTaggregatefunctioniscalculatedonthewholesetofinputrecords.
ReturnType:
REAL
Remarks:WhenusedwithoutaGROUPBYclause,thePROPCOUNTaggregatefunctionalwaysreturns1.0.Infact,inthiscasetheonlyhierarchicallyhighergroupavailableisthewholesetofinputrecords,andtherationumeratoranddenominatorarecalculatedonthesameset.Toobtainapercentage,multiplythereturnvalueofthePROPCOUNTaggregatefunctionby100.0,usingtheMULfunction.Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
Examples:
A.PROPCOUNT(*)ThefollowingqueryreturnsthepercentageofeventsforeachsourceintheSystemeventlog:
Page 165
SELECTSourceName,MUL(PROPCOUNT(*),100.0)ASPercentFROMSystemGROUPBYSourceNameAsampleoutputofthisqueryis:
SourceNamePercent--------------------------------EventLog10.322979ServiceControlManager63.004172AtiHotKeyPoller3.430691ApplicationPopup0.108175W32Time14.680884DCOM0.046361NtServicePack0.185443Win32k0.324525RemoteAccess2.194406GEMPCC0.509968SCardSvr0.509968Dhcp0.262711i8042prt0.015454Print0.030907Tcpip0.077268Workstation0.015454NETLOGON1.869881DnsApi2.240766Kerberos0.169989
The"Percent"outputrecordfieldshowstheratioofthenumberofeventsloggedbyasourcetothetotalnumberofeventsintheeventlog.
Inthisexample,thecalculationperformedbythePROPCOUNTaggregatefunctionisequivalenttoexecutingthefollowingtwoqueriesandcalculatingtheratioofthetwoaggregatefunctionsforeacheventlogsource:
SELECTSourceName,COUNT(*)ASNumeratorFROMSystemGROUPBYSourceNameSELECTCOUNT(*)ASDenominatorFROMSystemB.UsingONThefollowingqueryusestheIISW3CInputFormattoparseIISlogfilesandcalculatethepercentageofhitsforapagetypeandHTTPstatuscoderelativetothenumberofhitsforthatpagetype(i.e.thedistributionofHTTPstatuscodeswithineachpagetype):
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,MUL(PROPCOUNT(*)ON(PageType),100.0)ASHitsFROMex040528.logGROUPBYPageType,sc-statusORDERBYPageType,sc-status
Asampleoutputofthisqueryis:
PageTypesc-statusHits---------------------------asp200100.000000class20020.000000class30480.000000css20013.636364css30445.454545
ForeachpagetypeandHTTPstatuscode,the"Hits"outputrecordfieldshowstheratioofthenumberofrequestsforthatpagetypeandHTTPstatuscodetothetotalnumberofrequestsforthatpagetype.
Inthisexample,thecalculationperformedbythePROPCOUNT
Page 166
css40440.909091dll500100.000000exe200100.000000gif20021.025641gif30476.923077gif4042.051282htm20029.565217htm30468.695652htm4041.739130html404100.000000jpg20022.077922jpg30477.922078js20036.363636js30463.636364nsf20090.845070nsf3020.704225nsf3046.338028nsf4032.112676swf20027.272727swf30472.727273
aggregatefunctionisequivalenttoexecutingthefollowingtwoqueriesandcalculatingtheratioofthetwoaggregatefunctionsforeachpagetypeandHTTPstatus:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,COUNT(*)ASNumeratorFROMex040528.logGROUPBYPageType,sc-statusORDERBYPageType,sc-status
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,COUNT(*)ASDenominatorFROMex040528.logGROUPBYPageTypeORDERBYPageTypeSeealso:
COUNTSUMAVGMAXMINPROPSUMGROUPING
AggregateFunctions
AggregatingDataWithinGroupsCalculatingPercentages
©2004MicrosoftCorporation.Allrightsreserved.
Page 167
PROPSUMPROPSUM(<field_expr>)[ON(<on_field_expr_list>)]
<on_field_expr_list> ::= <field_expr>[,<field_expr>...]
ReturnstheratiooftheSUMaggregatefunctioncalculatedonagrouptotheSUMaggregatefunctioncalculatedonahierarchicallyhighergroup.
Arguments:
<field_expr>Thefield-expressionwhosevaluesaretobesummed.Thefield-expressiondatatypemustbeINTEGERorREAL.
<on_field_expr_list>ListofGROUPBYfield-expressionsidentifyingthehierarchicallyhighergrouponwhichthedenominatorSUMaggregatefunctionistobecalculated.Thislistoffield-expressionsmustbeaproperprefixoftheGROUPBYfield-expressions,thatis,itmustcontain,inthesameorder,asubsetofthefield-expressionsspecifiedintheGROUPBYclause,startingwiththeleftmostGROUPBYfield-expression.Whenthislistoffield-expressionsisnotspecified,thedenominatorSUMaggregatefunctioniscalculatedonthewholesetofinputrecords.
ReturnType:
REAL
Page 168
Remarks:WhenusedwithoutaGROUPBYclause,thePROPSUMaggregatefunctionalwaysreturns1.0.Infact,inthiscasetheonlyhierarchicallyhighergroupavailableisthewholesetofinputrecords,andtherationumeratoranddenominatorarecalculatedonthesameset.Toobtainapercentage,multiplythereturnvalueofthePROPSUMaggregatefunctionby100.0,usingtheMULfunction.Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
Examples:
A.PROPSUMThefollowingqueryusestheIISW3CInputFormattoparseIISlogfilesandcalculatethepercentageofbytessentforeachpagetype:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,MUL(PROPSUM(sc-bytes),100.0)ASPercentBytesFROMex040528.logGROUPBYPageTypeAsampleoutputofthisqueryis:
PageTypePercentBytes--------------------htm7.236737css1.035243gif23.772064
The"PercentBytes"outputrecordfieldshowstheratioofthebytessentforeachpagetypetothetotalnumberofbytessentinthelog.
Page 169
exe1.398888nsf24.459391swf32.528669jpg8.003440html0.104051dll0.002322asp0.000000js1.260613class0.198582
Inthisexample,thecalculationperformedbythePROPSUMaggregatefunctionisequivalenttoexecutingthefollowingtwoqueriesandcalculatingtheratioofthetwoaggregatefunctionsforeachpagetype:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,SUM(sc-bytes)ASNumeratorFROMex040528.logGROUPBYPageTypeSELECTSUM(sc-bytes)ASDenominatorFROMex040528.logB.UsingONThefollowingqueryusestheIISW3CInputFormattoparseIISlogfilesandcalculatethepercentageofbytessentforeachpagetypeandHTTPstatuscoderelativetothetotalbytessentforthatpagetype(i.e.thedistributionofHTTPstatuscoderesponsebyteswithineachpagetype):
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,MUL(PROPSUM(sc-bytes)ON(PageType),100.0)ASPercentBytesFROMex040528.logGROUPBYPageType,sc-statusORDERBYPageType,sc-status
Asampleoutputofthisqueryis:
PageTypesc-statusPercentBytes-----------------------------asp2000.000000class20092.591620class3047.408380css2006.039609css3043.502318css40490.458073dll500100.000000exe200100.000000gif20087.811668gif3046.935887gif4045.252445htm20092.926606htm3044.197755htm4042.875639
ForeachpagetypeandHTTPstatuscode,the"PercentBytes"outputrecordfieldshowstheratiooftheresponsebytesforthatpagetypeandHTTPstatuscodetothetotalresponsebytesforthatpagetype.
Inthisexample,thecalculationperformedbythePROPSUMaggregatefunctionisequivalenttoexecutingthefollowingtwoqueriesandcalculatingtheratioofthetwoaggregatefunctionsforeachpagetypeandHTTPstatus:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,sc-status,SUM(sc-bytes)ASNumeratorFROMex040528.logGROUPBYPageType,sc-statusSELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageType,SUM(sc-bytes)ASDenominator
Page 170
html404100.000000jpg20097.245679jpg3042.754321js20097.963913js3042.036087nsf20099.604883nsf3020.050656nsf3040.281114nsf4030.063347swf20099.910188swf3040.089812
ORDERBYPageType,sc-statusFROMex040528.logGROUPBYPageTypeORDERBYPageType
C.PROPSUM,GROUPBY,andHAVINGThefollowingqueryusestheIISW3CInputFormattoparseIISlogfilesandreturnthepagetypesthatrepresentmorethan10%ofthetotalbytessent:
SELECTEXTRACT_EXTENSION(cs-uri-stem)ASPageTypeFROMex040528.logGROUPBYPageTypeHAVINGPROPSUM(sc-bytes)>0.1
Seealso:COUNTSUMAVGMAXMINPROPCOUNTGROUPING
AggregateFunctions
AggregatingDataWithinGroupsCalculatingPercentages
©2004MicrosoftCorporation.Allrightsreserved.
Page 171
SUMSUM([DISTINCT|ALL]<field_expr>)
Returnsthesumofallthevalues,oronlytheDISTINCTvalues,ofthespecifiedfield-expression.
Arguments:
DISTINCTSpecifiesthatSUMreturnsthesumofuniquevalues.DISTINCTcanonlybeusedwhenthequerydoesnotmakeuseoftheGROUPBYclause.
ALLAppliestheaggregatefunctiontoallvalues.ALListhedefault.
<field_expr>Thefield-expressionwhosevaluesaretobesummed.Thefield-expressiondatatypemustbeINTEGERorREAL.
ReturnType:
INTEGERorREAL,dependingontheargumentfield-expression.
Remarks:NULLvaluesareignoredbytheSUMaggregatefunction.Aggregatefunctionsareallowedasfield-expressionsonlyintheSELECT,HAVING,andORDERBYclauses.
Page 172
Theargumentsofanaggregatefunctioncannotreferenceotheraggregatefunctions.Theargumentsofanaggregatefunctioncannotreferencethefollowingfunctions:SEQUENCEOUT_ROW_NUMBER
DISTINCTisallowedinaggregatefunctionsonlywhenthereisnoGROUPBYclause.
Examples:
A.SUMThefollowingqueryreturnsthetotalnumberofbytesforexecutablefilesinthe"system32"directory,usingtheFSinputformat:
SELECTSUM(Size)FROMC:\windows\system32\*.*WHERETO_LOWERCASE(EXTRACT_EXTENSION(Name))='exe'B.SUMandGROUPBYThefollowingqueryreturnsthetotalnumberofbytessentforeachpageextensionloggedinthespecifiedIISW3Clogfile:
SELECTTO_LOWERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,SUM(sc-bytes)FROMex031118.logGROUPBYPageTypeSeealso:
COUNTAVGMAXMINPROPCOUNTPROPSUMGROUPING
Page 173
AggregateFunctions
AggregatingDataWithinGroups
©2004MicrosoftCorporation.Allrightsreserved.
Page 174
Functions<function> ::= <function_name>(<argument_list>)
<argument_list> ::= <field_expr>[,<field_expr>...]
<empty>
LogParserfunctionstakezeroormorefield-expressionsasarguments,processthearguments,andreturnasinglevalue.
Remarks:Generally,functionsthattakenoargumentsandfunctionswhoseargumentsareconstantvaluesareexecutedandreplacedwiththereturnvaluebeforethequeryisprocessed.Asanexample,thefollowingqueryusesafunctionwithnoargumentsandafunctionwithconstantarguments:
SELECTCOMPUTER_NAME(),SUM(4,5),TimeGeneratedFROMSystemBeforebeingprocessed,thequeryismodifiedasfollows:
SELECT'MYSERVER0',9,TimeGeneratedFROMSystemTheonlyzero-argumentfunctionsthatarenotreplacedwiththeirreturnvaluebeforethequeryisprocessedare:SEQUENCEIN_ROW_NUMBEROUT_ROW_NUMBER
Page 175
Functions:
ArithmeticalADDBIT_ANDBIT_NOTBIT_ORBIT_SHLBIT_SHRBIT_XORDIVEXPEXP10FLOORLOGLOG10MODMULQNTFLOOR_TO_DIGITQNTROUND_TO_DIGITQUANTIZEROUNDSQRSQRROOTSUB
ConversionHEX_TO_INTINT_TO_IPV4IPV4_TO_INTTO_DATETO_HEXTO_INTTO_LOCALTIME
Page 176
TO_REALTO_STRINGTO_TIMETO_TIMESTAMPTO_UTCTIME
StringManipulationEXTRACT_EXTENSIONEXTRACT_FILENAMEEXTRACT_PATHEXTRACT_PREFIXEXTRACT_SUFFIXEXTRACT_TOKENEXTRACT_VALUEHEX_TO_ASCHEX_TO_HEX16HEX_TO_HEX32HEX_TO_HEX8HEX_TO_PRINTINDEX_OFLAST_INDEX_OFLTRIMREPLACE_CHRREPLACE_STRROT13RTRIMSTRCATSTRCNTSTRLENSTRREPEATSTRREVSUBSTRTO_LOWERCASETO_UPPERCASETRIM
Page 177
URLESCAPEURLUNESCAPE
SystemInformationCOMPUTER_NAMERESOLVE_SIDREVERSEDNSSYSTEM_DATESYSTEM_TIMESYSTEM_TIMESTAMPSYSTEM_UTCOFFSET
MiscellaneousCASECOALESCEHASHMD5_FILEHASHSEQIN_ROW_NUMBEROUT_ROW_NUMBERREPLACE_IF_NOT_NULLSEQUENCEWIN32_ERROR_DESCRIPTION
Note:TheREPLACE_IF_NULLfunctionhasbeendeprecatedinfavoroftheCOALESCEfunction.
Seealso:AggregateFunctions
Page 178
ConstantValuesFieldExpressions
©2004MicrosoftCorporation.Allrightsreserved.
Page 179
ConstantValues<value> ::= <integer_constant>
<real_constant><string_constant><timestamp_constant><null_constant>
<integer_constant> ::= integer0xhexadecimal
<real_constant> ::= integer_part.fractional_part
<string_constant> ::= 'string'
<timestamp_constant> ::= TIMESTAMP('timestamp','format')
<null_constant> ::= NULL
Constantsareimmutablefield-expressions,andtheyaremostlyusedinexpressionsorasargumentsoffunctions.
Constants:
<integer_constant>ConstantvaluesoftheINTEGERtypecanbeenteredasdecimalnumbers,orashexadecimalnumbersprecededbythe"0x"prefix.FormoreinformationabouttheLogParserINTEGERdatatype,seeINTEGERDataType.
<real_constant>
Page 180
ConstantvaluesoftheREALtypeareenteredasdecimalnumberscontainingadecimalpoint.FormoreinformationabouttheLogParserREALdatatype,seeREALDataType.
<string_constant>ConstantvaluesoftheSTRINGtypeareenteredasstringsenclosedbysinglequotecharacters(').Thesinglequotecharacter(')andthebackslashcharacter(\)areconsideredspecialcharactersinastringconstant,andtheycanonlybeenteredasescapesequencesprecededbyabackslashcharacter(\'and\\),asinthefollowingexample:
'Contains\'singlequoteand\\backslash'
Inaddition,anycharacter(includingillegalcharactersandnon-printablecharacters)canbeenteredusingthe\uxxxxnotation,wherexxxxisthe4-digithexadecimalrepresentationofthedesiredUNICODEcharacter,asinthefollowingexample:
'Contains\u0009tabs'
FormoreinformationabouttheLogParserSTRINGdatatype,seeSTRINGDataType.
<timestamp_constant>ConstantvaluesoftheTIMESTAMPtypeareenteredwiththespecialTIMESTAMPkeyword,followedbyastringrepresentationofthedesiredtimestamp,andbytheformatofthestringrepresentationofthedesiredtimestamp,usingtheLogParserTimestampFormatSpecifiers.Ifthetimestampformatspecifiersincludedatespecifiersonly,theresultingTIMESTAMPvaluewillbeadate-onlytimestamp.Similarly,ifthetimestampformatspecifiersincludetimeofdayspecifiersonly,theresultingTIMESTAMPvaluewillbeatime-onlytimestamp.FormoreinformationabouttheLogParserTIMESTAMPdatatype,
Page 181
seeTIMESTAMPDataType.
<null_constant>ConstantvaluesoftheNULLtypeareenteredwiththespecialNULLkeyword.FormoreinformationabouttheLogParserNULLdatatype,seeNULLDataType.
Remarks:Integerconstantsenteredashexadecimalnumbersareconvertedinternallytodecimalvalues.Toforceanoutputformattodisplayanintegerfield-expressionasanhexadecimalvalue,usetheTO_HEXfunction.
Examples:
A.Integerconstantenteredasdecimalnumber
sc-bytes>=1000
B.Integerconstantenteredashexadecimalnumber
BIT_AND(Flags,0x1000)
C.Realconstant
AVG(time-taken)<75.45
D.Stringconstant
'Somestring'
Page 182
E.Stringconstantcontainingspecialcharacters
'Contains\'singlequoteand\\backslash'
F.StringconstantcontainingUNICODEcharacters
'Containsa\u2530UNICODEcharacter'
G.Timestampconstant
TimeGenerated>TIMESTAMP('2004-05-2819:12:43','yyyy-MM-ddhh:mm:ss')H.Date-onlytimestampconstant
date>TIMESTAMP('2004-05-28','yyyy-MM-dd')
I.Time-onlytimestampconstant
time>TIMESTAMP('19:12:43','hh:mm:ss')
J.NULLconstant
Message<>NULL
Seealso:FieldExpressionsINTEGERDataTypeREALDataTypeSTRINGDataTypeTIMESTAMPDataTypeNULLDataType
BasicsofaQuery
Page 183
©2004MicrosoftCorporation.Allrightsreserved.
Page 184
Comments<comment> ::= /*text_of_comment*/
--text_of_comment
Commentsareuser-providedtextnotevaluatedbyLogParser,usedtodocumentcodeortemporarilydisablepartsofquerystatements.
Remarks:Use--forsingle-lineornestedcomments.Commentsinsertedwith--aredelimitedbythenewlinecharacter.Multiple-linecommentsmustbeindicatedby/*and*/.Thereisnomaximumlengthforcomments.
Examples:
A.Single-linecomments
SELECTTimeGenerated,SourceNameFROMSystem--WeareusingtheSYSTEMeventlogB.Multiple-linecomments
SELECTTypeName,COUNT(*)ASTotalCountUSINGTO_UPPERCASE(EXTRACT_TOKEN(EventTypeName,0,''))ASTypeNameINTOReport.csvFROMSystem/*Weonlywanttoretrieveeventlogswhosetypenamecontains'service'
©2004MicrosoftCorporation.Allrightsreserved.
Page 185
*/WHERETypeNameLIKE'%service%'GROUPBYTypeNameHAVINGTotalCount>5ORDERBYTotalCountDESC
Page 186
DataTypesIntheLogParserSQL-Likelanguage,eachfield-expressionhasarelateddatatype,whichisanattributethatspecifiesthetypeofdatathatthefield-expressioncanhold.LogParsersuppliesasetofsystemdatatypesthatdefineallofthetypesofdatathatcanbeusedwithLogParser.Thesetofsystem-supplieddatatypesis:
INTEGER:integernumericdata;REAL:floatingprecisionnumericdata;STRING:variablelengthUNICODEcharacterstringdata;TIMESTAMP:dateandtimedata;NULL:unknownorunavailabledata.
©2004MicrosoftCorporation.Allrightsreserved.
Page 187
INTEGERDataTypeTheINTEGERdatatyperepresentsinteger(wholenumber)numericdata.
Valuerange:
INTEGERvaluesarerepresentedassigned64-bit(8-byte)integernumbers,withvaluesrangingfrom-2^63(-9,223,372,036,854,775,808)through2^63-1(9,223,372,036,854,775,807).
ConversionFunctions:
OtherdatatypestoINTEGERdatatype:TO_INT
INTEGERdatatypetootherdatatypes:TO_REALTO_STRINGTO_TIMESTAMP
Seealso:ConstantValues
©2004MicrosoftCorporation.Allrightsreserved.
Page 188
REALDataTypeTheREALdatatyperepresentsfloatingpointnumericdata.Floatingpointdataisapproximate;notallvaluesinthedatatyperangecanbepreciselyrepresented.
Valuerange:
REALvaluesarerepresentedassigned64-bit(8-byte)floatingpointnumbers,withvaluesrangingfrom±5.0×10-324through±1.7×10308,withatleast15digitsofprecision.
ConversionFunctions:
OtherdatatypestoREALdatatype:TO_REAL
REALdatatypetootherdatatypes:TO_INTTO_STRINGTO_TIMESTAMP
Seealso:ConstantValues
©2004MicrosoftCorporation.Allrightsreserved.
Page 189
STRINGDataTypeTheSTRINGdatatyperepresentsvariablelengthUNICODEcharacterstringdata.
ConversionFunctions:
OtherdatatypestoSTRINGdatatype:TO_STRING
STRINGdatatypetootherdatatypes:TO_INTTO_REALTO_TIMESTAMP
Seealso:ConstantValues
©2004MicrosoftCorporation.Allrightsreserved.
Page 190
TIMESTAMPDataTypeTheTIMESTAMPdatatyperepresentsdateandtimeofdaydata.
Valuerange:
TIMESTAMPvaluesrangefromJanuary1,-8192throughDecember31,8191,toanaccuracyofonehundrednanoseconds(oneten-thousandthofamillisecond).
Date-onlyandTime-onlyTimestamps
TIMESTAMPvaluescanberestrictedtorepresentdatedataonlyortimeofdaydataonly.AsexplainedintheRemarkssectionbelow,aTIMESTAMPvaluethathasbeenrestrictedtorepresentdatedataonlyortimeofdaydataonlywillbeformattedtodisplaydateelementsonly(year,month,andday)ortimeofdayelementsonly(hour,minute,second,millisecond,andnanosecond).TIMESTAMPvaluescanberestrictedtodate-onlyortime-onlytimestampsindifferentways.SomeinputformatsreturnTIMESTAMPinputrecordfieldswhosevaluesrepresentonlydatesortimesofday.Forexample,the"date"and"time"fieldsoftheIISW3Cinputformathavevaluesrepresentingonlydatesandtimesofday,respectively.TIMESTAMPconstantscanalsobeenteredasdate-onlyortime-onlytimestampvalues,dependingontheTimestampFormatSpecifiersused.Inaddition,theTO_DATE,TO_TIME,SYSTEM_DATE,andSYSTEM_TIMEfunctionsallreturnTIMESTAMPvaluesrepresentingdatesortimesofdayonly.Formoreinformation,refertotheRemarkssectionbelow.
Remarks:
Page 191
TIMESTAMPvaluesareformattedandparsedusingTimestampFormatSpecifiers.Timestampformatspecifiersarestringsthatusespecialcharacterstodescribedateand/ortimeelementsinastringrepresentationofatimestamp.Formoreinformation,refertotheTimestampFormatSpecifiersreference.Althoughthedistinctionbetweendate-onlyortime-onlyTIMESTAMPvaluesandfullTIMESTAMPvaluesisoftentransparenttotheuser,date-onlyortime-onlyvaluesbehavedifferentlythanfullTIMESTAMPvaluesinthefollowingcircumstances:Comparisonoperatorsinexpressions:Whencomparingadate-onlyTIMESTAMPvaluewithanotherTIMESTAMPvalue,thetimeofdaydataofthedate-onlyvalueisassumedtobetimezero.Similarly,whencomparingatime-onlyTIMESTAMPvaluewithanotherTIMESTAMPvalue,thedatedataofthetime-onlyvalueisassumedtobeJanuary1,year0.FormattingTIMESTAMPvalues:wheneveradate-onlyortime-onlyTIMESTAMPvalueisformattedtoaSTRINGvaluebyeitherexplicitlyusingtheTO_STRINGfunctionorasimplicitlydonebyanoutputformat,theresultingSTRINGwillonlycontainthedateortimeofdaydata,andthenon-applicableTimestampFormatSpecifierswillbeignored.Asanexample,thefollowingqueryusestheTO_STRINGfunctionwithdateandtimeofdayformatspecifierstoformatthe"time"fieldoftheIISW3Cinputformat:
SELECTTO_STRING(time,'yyyy-MM-ddhh:mm:ss')FROM<1>Sincethevaluesofthe"time"fieldaretime-onlyTIMESTAMPvalues,theresultingSTRINGvalueswillbeformattedaccordingtothetimeofdayformatspecifiersonly,andthedateformatspecifierswillbeignored:
18:48:0418:48:2718:48:2718:48:29
ValuesoftypeTIMESTAMPcanalsobeusedtorepresenttimeintervals,forexamplewiththeADDandSUBfunctions.SincetheoriginoftimeintheLogParserSQL-Likelanguageis
Page 192
January1,year0,timeintervalsshouldbeexpressedastimestampsrelativetothisoriginoftime.Forexample,atimeintervalofonedayshouldbespecifiedasJanuary2,year0,i.e.24hoursaftertheoriginoftime.Thefollowingexamplequeryselectsalltheeventlogrecordsthathavebeenwritteninthepast2days:
SELECT*FROMSYSTEMWHERETimeWritten>TO_LOCALTIME(SUB(SYSTEM_TIMESTAMP(),TIMESTAMP('0000-01-03','yyyy-MM-dd')))TIMESTAMPvaluesdonotcarryinformationonthetimezonethetimestampisrelativeto.WhenworkingwithTIMESTAMPfieldsgeneratedbyaninputformat,usersshouldbeawareofthetimezonethesefieldsarerelativeto,andhandletheirvaluesaccordingly.Forexample,valuesofthe"TimeGenerated"fieldoftheEVTInputFormatarerelativetothelocaltimezone.IfUniversalTimeCoordinates(UTC)aredesired,theTO_UTCTIMEfunctionshouldbeusedtoconverttheselocaltimestampstoUTCtimestamps.
ConversionFunctions:
OtherdatatypestoTIMESTAMPdatatype:TO_TIMESTAMP
TIMESTAMPdatatypetootherdatatypes:TO_INTTO_REALTO_STRING
FullTIMESTAMPvaluestodate-onlyTIMESTAMPvalues:TO_DATE
FullTIMESTAMPvaluestotime-onlyTIMESTAMPvalues:
Page 193
TO_TIME
Date-onlyandtime-onlyTIMESTAMPvaluestofullTIMESTAMPvalues:TO_TIMESTAMP
LocaltimezoneTIMESTAMPvaluestoUTCTIMESTAMPvalues:TO_UTCTIME
UTCTIMESTAMPvaluestolocaltimezoneTIMESTAMPvalues:TO_LOCALTIME
Seealso:ConstantValuesTimestampFormatSpecifiers
©2004MicrosoftCorporation.Allrightsreserved.
Page 194
TimestampFormatSpecifiersTIMESTAMPvaluesareformattedandparsedusingTimestampFormatSpecifiers.Timestampformatspecifiersarestringsthatusespecialcharacterstodescribedateand/ortimeelementsinastringrepresentationofatimestamp.
Timestampformatspecifiersareusedinthefollowingcircumstances:
WhenenteringaTIMESTAMPconstantwiththeTIMESTAMPkeyword.Inthiscase,timestampformatspecifiersareusedtodescribehowthestringenteredshouldbeparsedinordertoobtainaTIMESTAMPvalue,asinthefollowingexample:
TimeGenerated>TIMESTAMP('2004-05-2810:23:15','yyyy-MM-ddhh:mm:ss')WhenconvertingaTIMESTAMPvaluetoaSTRINGvalueusingtheTO_STRINGfunction.Inthiscase,timestampformatspecifiersareusedtodescribehowtheTIMESTAMPvalueshouldbeformattedinordertoobtainaSTRINGvalue,asinthefollowingexample:
TO_STRING(TimeGenerated,'yyyyMMM,ddh:m:s')
WhenconvertingaSTRINGvaluetoaTIMESTAMPvalueusingtheTO_TIMESTAMPfunction.Inthiscase,timestampformatspecifiersareusedtodescribehowtheSTRINGvalueshouldbeparsedinordertoobtainaTIMESTAMPvalue,asinthefollowingexample:
TO_TIMESTAMP(Text,'MMMdddyyyy')
WhenspecifyinghowaninputformatshouldparseTIMESTAMPfields,usingthe"iTsFormat"parameter.Inthiscase,timestampformatspecifiersareusedtodescribehowtimestampvaluesarerepresentedbytheselecteddatasource,sothattheinputformatiscapabletoparsethesefieldsandrepresentthemasvaluesoftypeTIMESTAMP.Thefollowingexamplesetsaspecificvalueforthe"iTsFormat"
Page 195
parameteroftheCSVInputFormat:
C:\>logparser"SELECTMyFieldFROMfile.csv"-i:CSV-iTsFormat:"yyyy-MM-dd"WhenspecifyinghowanoutputformatshouldformatanddisplayTIMESTAMPfields,usingthe"oTsFormat"parameter.Inthiscase,timestampformatspecifiersareusedtodescribehowTIMESTAMPvaluesshouldbeformattedbytheoutputformat,asinthefollowingexampleusingtheTSVOutputFormat:
C:\>logparser"SELECTTimeGeneratedINTOfile.txtFROMSystem"-i:EVT-o:TSV-oTsFormat:"yyyy-MM-dd"
ThefollowingtabledescribesthetimestampformatspecifierssupportedbytheLogParserSQL-Likelanguage:
Specifier Description
Examplespecifierstrings Exampleformats
y year,lastdigit(whenparsing,assumedtoberelativetoyear2000)
yMMdd 40528
yy year,last2digits(whenparsing,assumedtoberelativetoyear2000)
yyMMdd 040528
yyy year,last3digits(whenparsing,assumedtoberelativetoyear2000)
yyyMMdd 0040528
yyyy year,4digits yyyyMMdd 20040528M month,noleadingzero yyyy-M-dd 2004-5-28
2004-12-01MM month,leadingzero yyyy-MM-dd 2004-05-28
2004-12-01
Page 196
MP month,leadingspace yyyy-MP-dd 2004-5-282004-12-01
MX month,withorwithoutleadingzero(whenparsing)month,withoutleadingzero(whenformatting)
yyyy-MX-dd 2004-05-28(whenparsing)2004-5-282004-12-01
MMM month,3-characterabbreviationofname(1)
MMMd,yyyy Dec1,2004
MMMM month,fullname(1) MMMMd,yyyy
December1,2004
d day,noleadingzero yyyy-MM-d 2004-12-12004-05-28
dd day,leadingzero yyyy-MM-dd 2004-12-012004-05-28
dp day,leadingspace yyyy-MM-dp 2004-12-12004-05-28
dx day,withorwithoutleadingzero(whenparsing)day,withoutleadingzero(whenformatting)
yyyy-MM-dx 2004-12-01(whenparsing)2004-12-12004-05-28
ddd weekday,3-characterabbreviationofname(1)
dddMMMMd,yyyy
WedDecember1,2004
dddd weekday,fullname(1)
ddddMMMMd,yyyy
WednesdayDecember1,2004
h,H hour,noleadingzero h:mm:ss 3:12:0521:04:15
hh,HH hour,leadingzero hh:mm:ss 03:12:0521:04:15
hp,HP hour,leadingspace hp:mm:ss 3:12:0521:04:15
Page 197
hx,HX hour,withorwithoutleadingzero(whenparsing)hour,withoutleadingzero(whenformatting)
hx:mm:ss 03:12:05(whenparsing)3:12:0521:04:15
m minute,noleadingzero
hh:m:ss 21:4:1503:12:05
mm minute,leadingzero hh:mm:ss 21:04:1503:12:05
mp minute,leadingspace hh:mp:ss 21:4:1503:12:05
mx minute,withorwithoutleadingzero(whenparsing)minute,withoutleadingzero(whenformatting)
hh:mx:ss 21:04:15(whenparsing)21:4:153:12:05
s second,noleadingzero
hh:mm:ss 03:12:521:04:15
ss second,leadingzero hh:mm:ss 03:12:0521:04:15
sp second,leadingspace hh:mm:sp 03:12:521:04:15
sx second,withorwithoutleadingzero(whenparsing)second,withoutleadingzero(whenformatting)
hh:mm:ss 03:12:05(whenparsing)03:12:521:04:15
l millisecond,noleadingzeroes
hh:mm:ss.l 21:4:15.503:12:05.395
ll millisecond,leadingzeroes
hh:mm:ss.ll 21:04:15.00503:12:05.395
lp millisecond,leadingspaces
hh:mm:ss.lp 21:04:15.503:12:05.395
Page 198
lx millisecond,withorwithoutleadingzero(whenparsing)millisecond,withoutleadingzero(whenformatting)
hh:mm:ss.lx 21:04:15.005(whenparsing)21:04:15.53:12:05.395
n nanosecond,noleadingzeroes
hh:mm:ss.ll.n 21:4:15.005.40003:12:05.395.1900
nn nanosecond,leadingzeroes
hh:mm:ss.ll.nn 21:04:15.005.0000040003:12:05.395.001900
np nanosecond,leadingspaces
hh:mm:ss.ll.np 21:04:15.005.40003:12:05.395.1900
nx nanosecond,withorwithoutleadingzero(whenparsing)nanosecond,withoutleadingzero(whenformatting)
hh:mm:ss.ll.nx 21:04:15.005.00000400(whenparsing)21:04:15.005.4003:12:05.395.1900
tt AM/PMnotation hh:mm:sstt 09:04:15PM03:12.05AM
? anycharacter(whenparsing)space(whenformatting)
yyyy-MM-dd?hh:mm:ss
2004-05-28T21:04:15(whenparsing)2004-05-2821:04:15(whenformatting)
anyother
characterverbatimcharacter hh:mm:ss---
yyyy.MM+dd09:04:15---2004.05+28
Notes:(1):elementnamesareobtainedfromthecurrentsystemlocale.
Date-onlyandTime-onlyTimestampsWhenparsingatimestampstring,thefollowingassumptionsaremade:
Page 199
Ifthetimestampformatspecifiersincludedateelementsonly,theresultingTIMESTAMPvaluewillbeadate-onlytimestamp;forexample,thefollowingstatementcreatesadate-onlyTIMESTAMPconstantvalue:
TIMESTAMP('2004-05-28','yyyy-MM-dd')
Ifthetimestampformatspecifiersincludetimeofdayelementsonly,theresultingTIMESTAMPvaluewillbeatime-onlytimestamp;forexample,thefollowingstatementcreatesatime-onlyTIMESTAMPconstantvalue:
TIMESTAMP('21:04:15','hh:mm:ss')
UnspecifieddateelementsarereplacedwiththecorrespondingelementsoftheLogParserorigindate(January1,year0),unlessthetimestampisatime-onlytimestampvalue;forexample,thefollowingstatementcreatesadate-onlytimestamprepresentingthedateFebruary1,year0:
TIMESTAMP('2','M')
Similarly,unspecifiedtimeelementsarereplacedwithzerovalues,unlessthetimestampisadate-onlytimestampvalue;forexample,thefollowingstatementcreatesatime-onlytimestamprepresentingthetime10:00:00.0.0:
TIMESTAMP('10','h')
Asanotherexample,thefollowingstatementcreatesafulltimestampvaluerepresentingthetime10:00:00.0.0onFebruary1,year0:
TIMESTAMP('210','Mh')
Formoreinformationondate-onlyandtime-onlytimestampvalues,refertotheTimestampDataTypereference.
Page 200
Seealso:ConstantValuesTimestampDataType
©2004MicrosoftCorporation.Allrightsreserved.
Page 201
NULLDataTypeTheNULLdatatyperepresentsunknownorunavailabledata.
Remarks:InputformatsoftenreturnNULLvaluesforinputrecordfieldstoindicatethatthefielddataisnotavailableinthecurrentlog.AvalueofNULLisdifferentfromazerovalue.IntheLogParserSQL-Likelanguage,comparisonoperatorsinexpressionstreatNULLvaluesastheminimumpossiblevalues.Inotherwords,allnon-NULLvalues,evennegativenumericvalues,arealwaysgreaterthanaNULLvalue.Ontheotherhand,theMINandMAXaggregatefunctionstreatNULLvaluesasrespectivelythemaximumandminimumpossiblevalues.Inotherwords,theMINorMAXvaluebetweenanon-NULLvalueandaNULLvalueisalwaysthenon-NULLvalue.TotestforNULLvaluesinaqueryuseISNULLorISNOTNULLintheWHEREorHAVINGclauses.
Seealso:ConstantValuesExpressions
©2004MicrosoftCorporation.Allrightsreserved.
Page 202
InputFormatsIISLogFileInputFormatsIISW3C:parsesIISlogfilesintheW3CExtendedLogFileFormat.IIS:parsesIISlogfilesintheMicrosoftIISLogFileFormat.BIN:parsesIISlogfilesintheCentralizedBinaryLogFileFormat.IISODBC:returnsdatabaserecordsfromthetablesloggedtobyIISwhenconfiguredtologintheODBCLogFormat.HTTPERR:parsesHTTPerrorlogfilesgeneratedbyHttp.sys.URLSCAN:parseslogfilesgeneratedbytheURLScanIISfilter.
GenericTextFileInputFormatsCSV:parsescomma-separatedvaluestextfiles.TSV:parsestab-separatedandspace-separatedvaluestextfiles.XML:parsesXMLtextfiles.W3C:parsestextfilesintheW3CExtendedLogFileFormat.NCSA:parseswebserverlogfilesintheNCSACommon,Combined,andExtendedLogFileFormats.TEXTLINE:returnslinesfromgenerictextfiles.TEXTWORD:returnswordsfromgenerictextfiles.
SystemInformationInputFormatsEVT:returnseventsfromtheWindowsEventLogandfromEventLogbackupfiles(.evtfiles).FS:returnsinformationonfilesanddirectories.REG:returnsinformationonregistryvalues.ADS:returnsinformationonActiveDirectoryobjects.
Special-purposeInputFormats
Page 203
NETMON:parsesnetworkcapturefilescreatedbyNetMon.ETW:parsesEnterpriseTracingforWindowstracelogfilesandlivesessions.COM:providesaninterfacetoCustomInputFormatCOMPlugins.
©2004MicrosoftCorporation.Allrightsreserved.
Page 204
ADSInputFormatTheADSinputformatreturnspropertiesofActiveDirectoryobjects.
TheADSinputformatenumeratestheActiveDirectoryobjectsintheActiveDirectoryContainerwhoseLDAPpathisspecifiedinthefrom-entity,eventuallyrecursingintoadditionalContainerobjectsfoundduringtheenumeration.TheinformationreturnedforeachobjectdependsonthevaluespecifiedfortheobjClassparameter.
WhentheobjClassparameterisleftunspecified,theADSinputformatworksin"propertymode",returningarecordforeachpropertyofeachobjectvisitedduringtheenumeration.Inthiscase,inputrecordshaveafixednumberoffieldswhosevaluesdescribethepropertiesbeingreturned,includinga"PropertyName"fieldanda"PropertyValue"fieldcontainingthenameandthevalueofthepropertybeingprocessed.Queriesoperatingin"propertymode"canworkonActiveDirectoryobjectsofdifferenttypes,andsinceeachinputrecordrepresentsasingleobjectproperty,theycanonlyreferenceasinglepropertyatatime.
Forexample,thefollowingcommandreturnsthevaluesofallthepropertiesnamed"comment"fromalltheobjectsinthespecifiedpath:
LogParser"SELECTPropertyValueFROMLDAP://mydomain.mycompany.comWHEREPropertyName='comment'"-i:ADSTheoutputwouldlooklikethefollowingexample:
PropertyValue-----------------BuiltinBuiltinAccountOperatorsAccountOperatorsAdministratorsAdministrators
WhenthenameofanActiveDirectoryobjectclassisspecifiedfortheobjClassparameter,theADSinputformatworksin"objectmode",returningarecordforeachobjectvisitedduringtheenumerationthatisaninstanceofthespecifiedclass.Inthiscase,thereisaninputrecordfieldforeachofthepropertiesofthe
Page 205
BackupOperatorsBackupOperatorsobjectbeingreturned.Queriesoperatingin"objectmode"canonlyworkonActiveDirectoryobjectsofasingletype,andsinceeachinputrecordrepresentsasingleobject,theycanreferencemultiplepropertiesofthesameobjectatthesametime.
Forexample,thefollowingcommandreturnsthespecifiedpropertiesfromalltheobjectsoftype"Computer":
LogParser"SELECTcn,operatingSystem,operatingSystemServicePackFROMLDAP://mydomain.mycompany.com/CN=Computers,DC=mydomain,DC=mycompany,DC=com"-i:ADS-objClass:ComputerTheoutputwouldlooklikethefollowingexample:
cnoperatingSystemoperatingSystemServicePack-------------------------------------------------------------SERVER01WindowsXPProfessionalServicePack1SERVER02WindowsXPProfessionalServicePack2TESTMACHINE1WindowsServer2003-TESTMACHINE2WindowsXPProfessionalServicePack2TESTMACHINE3WindowsXPProfessionalServicePack1TESTMACHINE4Windows2000ServerServicePack4
From-EntitySyntaxFieldsParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 206
ADSInputFormatFrom-EntitySyntax<from-entity>
::= [[<provider>:]//[<username>:<password>@]<domain>]/<path>[;...]
The<from-entity>specifiedinqueriesusingtheADSinputformatisasemicolon-separatedlistofLDAPpaths.EachLDAPpathbeginswithanoptionalprovidername(e.g."IIS","LDAP"),followedbyanoptionaldomainorcomputername.Ifaprovidernameisnotspecified,then"IIS"isassumedbydefault.Ifadomainnameorcomputernameisnotspecified,then"localhost"isassumedbydefault.
Thefrom-entitycanoptionallyincludeausernameandapasswordtobeusedfortheconnectiontotheActiveDirectoryprovider.Whenthesearenotspecified,theADSinputformatusesthecurrentuser'scredentials.
Note:LDAPpathscontainingcomma(,)charactersshouldbeenclosedwithinsingle-quote(')characters.
Examples:
FROMIIS://COMPUTER01/W3SVC/1
FROMIIS://MyUsername:MyPassword@COMPUTER01/W3SVC/1
FROM'LDAP://MyDomain/CN=Users,DC=MyDomain,DC=com'
FROM'LDAP://MyUsername:MyPassword@MyDomain/CN=Users,DC=MyDomain,DC=com'FROM/W3SVC/1;/W3SVC/2;//COMPUTER02/W3SVC/1
©2004MicrosoftCorporation.Allrightsreserved.
Page 207
ADSInputFormatFieldsThestructureoftheinputrecordsgeneratedbytheADSinputformatdependsonthevaluespecifiedfortheobjClassparameter.
PropertyModeWhentheobjClassparameterisleftunspecified,theADSinputformatworksin"propertymode",returningarecordforeachpropertyofeachobjectvisitedduringtheenumeration.Inthiscase,inputrecordshavethefollowingfixedstructure:
Name Type Description
ObjectPath STRING FullActiveDirectorypathoftheobjectcontainingthisproperty
ObjectName STRING Nameoftheobjectcontainingthisproperty
ObjectClass STRING Classnameoftheobjectcontainingthisproperty
PropertyName STRING Nameofthepropertybeingprocessed
PropertyValue STRING Valueofthepropertybeingprocessed
PropertyType STRING Typeofthepropertybeingprocessed
Queriesoperatingin"propertymode"canworkonActiveDirectoryobjectsofdifferenttypes,andsinceeachinputrecordrepresentsasingleobjectproperty,theycanonlyreferenceasinglepropertyatatime.
Page 208
ObjectModeWhenthenameofanActiveDirectoryobjectclassisspecifiedfortheobjClassparameter,theADSinputformatworksin"objectmode",returningarecordforeachobjectvisitedduringtheenumerationthatisaninstanceofthespecifiedclass.Inthiscase,thefirstinputrecordfieldisfixed,anditisdescribedinthefollowingtable:
Name Type Description
ObjectPath STRING FullActiveDirectorypathoftheobjectbeingprocessed
Thisfieldisfollowedbyfieldsrepresentingallthepropertiesofthespecifiedobjectclass.Eachfieldisnamedafterthecorrespondingpropertyname,anditsdatatypeisdeterminedbythepropertytypedeclaredbytheActiveDirectoryschemaobjectforthespecifiedclass.
Queriesoperatingin"objectmode"canonlyworkonActiveDirectoryobjectsofasingletype,andsinceeachinputrecordrepresentsasingleobject,theycanreferencemultiplepropertiesofthesameobjectatthesametime.
©2004MicrosoftCorporation.Allrightsreserved.
Page 209
ADSInputFormatParametersTheADSinputformatsupportsthefollowingparameters:
objClass
Values: ActiveDirectoryobjectclassname
Default: notspecified
Description: Objectclassnamefor"objectmode"operation.
Details: Whenthisparameterisleftunspecified,theADSinputformatworksin"propertymode",returningarecordforeachpropertyofeachobjectvisitedduringtheenumeration.Ontheotherhand,whenthenameofanActiveDirectoryobjectclassisspecifiedforthisparameter,theADSinputformatworksin"objectmode",returningarecordforeachobjectvisitedduringtheenumerationthatisaninstanceofthespecifiedclass.Formoreinformationonthedifferentmodesofoperation,seeFormatFields.
Example: -objClass:Userusername
Values: username
Default: notspecified
Description: UsernamefortheActiveDirectoryconnection.
Details: Whenausernameisnotspecifiedforthisparameter,theADSinputformatusestheusernamespecifiedinthefrom-entityofthequery.Ifthefrom-entitydoesnotincludeausername,theADSinputformatwillusethecurrentuser'scredentials.
Note:Forsecurityreasons,valuesspecifiedforthisparameterarenotpersistedwhenusingtheLogParsercommand-lineDefaultsOverrideMode.
Page 210
Example: -username:MyUserpassword
Values: password
Default: notspecified
Description: PasswordfortheActiveDirectoryconnection.
Details: Passwordfortheusernamespecifiedwiththe"username"parameter.
Note:Forsecurityreasons,valuesspecifiedforthisparameterarenotpersistedwhenusingtheLogParsercommand-lineDefaultsOverrideMode.
Example: -password:MyPasswordrecurse
Values: recursionlevel(number)
Default: -1
Description: MaxADScontainerrecursionlevel.
Details: 0disablescontainerrecursion;-1enablesunlimitedrecursion.
Example: -recurse:2multiValuedSep
Values: anystring
Default: |
Description: Separatorbetweenvaluesofmulti-valuedtypes.
Details: Multi-valuedpropertyvaluesarereturnedasasinglestring,builtbyconcatenatingthemultiplevaluesoneaftertheotherusingthevalueofthisparameterasaseparatorbetweentheelements.
Example: -multiValuedSep:,
Page 211
ignoreDSErrors
Values: ON|OFF
Default: ON
Description: IgnoreDirectoryServiceerrors.
Details: Whenthisparameterissetto"OFF",DirectoryServiceerrorsoccurringduringtheenumerationofobjectsandpropertiesarereturnedasErrors.Whenthisparameterissetto"ON",DirectoryServiceerrorsaresilentlyignored,andinputrecordfieldscorrespondingtounretrievableobjectsorpropertiesarereturnedasNULLvalues.
Example: -ignoreDSErrors:OFFparseBinary
Values: ON|OFF
Default: OFF
Description: Returnvalueofbinaryproperties.
Details: Thisparameterspecifieswhetherpropertiescontainingbinaryvaluesarereturnedornot.Whenthisparameterissetto"ON",binaryvaluesarereturnedasSTRINGvaluesformattedaccordingtothevaluespecifiedforthe"binaryFormat"parameter.
Example: -parseBinary:ONbinaryFormat
Values: ASC|PRINT|HEX
Default: HEX
Description: Formatofbinaryproperties.
Page 212
Details: Whenthe"parseBinary"propertyissetto"ON",theADSinputformatreturnspropertiescontainingbinaryvalues.Inthiscase,binaryvaluesarereturnedasSTRINGvaluesformattedaccordingtothevaluespecifiedforthisparameter.Whenthisparameterissetto"ASC",databytesbelongingtothe0x20-0x7FrangearereturnedasASCIIcharacters,whiledatabytesoutsidetherangearereturnedasperiod(.)characters,asshowninthefollowingexample:
Bucket:02096553..rundll32.exe
Whenthisparameterissetto"PRINT",databytesrepresentingprintableASCIIcharactersarereturnedasASCIIcharacters,whiledatabytesthatdonotrepresentprintableASCIIcharactersarereturnedasperiod(.)characters,asshowninthefollowingexample:
Bucket:02096553rundll32.exeWhenthisparameterissetto"HEX",alldatabytesarereturnedastwo-digithexadecimalvalues,asshowninthefollowingexample:
4275636B65743A2030323039363535330D0A72756E646C6C33322E657865
Example: -binaryFormat:PRINT
©2004MicrosoftCorporation.Allrightsreserved.
Page 213
ADSInputFormatExamplesUsers'JobTitlesRetrieveusers'jobtitlebreakdownfromActiveDirectory:
LogParser"SELECTtitle,MUL(PROPCOUNT(*),100.0)ASPercentageINTODATAGRIDFROM'LDAP://MyUsername:MyPassword@mydomain/CN=Users,DC=mydomain,DC=com'WHEREtitleISNOTNULLGROUPBYtitleORDERBYPercentageDESC"-objClass:UserIISAccessFlagsMetaBasePropertiesRetrievealltheAccessFlagspropertiesfromIISmetabaseobjects:
LogParser"SELECTObjectPath,PropertyValueFROMIIS://localhostWHEREPropertyName='AccessFlags'"
©2004MicrosoftCorporation.Allrightsreserved.
Page 214
BINInputFormatTheBINinputformatparsesIISlogfilesintheCentralizedBinaryLogFileFormat.
WhenanIIS6.0webserverisconfiguredtologintheCentralizedBinaryLogFileFormat,alltheIISvirtualsiteshostedbytheserverloginasingle,server-widelogfile.Logfilesinthisformatarebinaryfiles,andtheinformationcontainedintheselogscannotbevisualizedbystandardtextfileprocessors.
From-EntitySyntaxFieldsExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 215
BINInputFormatFrom-EntitySyntax<from-entity> ::= <filename>|<SiteID>[,<filename>|<SiteID>...]
<SiteID> ::= <site_number><server_comment><site_metabase_path>
The<from-entity>specifiedinqueriesusingtheBINinputformatisacomma-separatedlistof:
PathsofIISCentralizedBinarylogfiles;IISVirtualSite"identifiers".
"Siteidentifiers"mustbeenclosedwithinanglebrackets(<and>),andcanhaveoneofthefollowingvalues:ThenumericsiteID(e.g."<1>","<28163489>");Thetextvalueofthe"ServerComment"propertyofthesite(e.g."<MyExternalSite>","<www.margiestravel.com>");Thefully-qualifiedADSImetabasepathtothesite(e.g."<//MYSERVER/W3SVC/1>"),usingeitherthenumericsiteIDorthetextvalueofthe"ServerComment"propertyofthesite.
Whena"siteidentifier"isused,theBINinputformatconnectstothespecifiedmachine'smetabase,gathersinformationontheserver'scurrentloggingproperties,andparsesallthelogfilesintheserver'scurrentlogfiledirectory,returningonlytheentriescorrespondingtorequeststothespecifiedvirtualsite.
Filenamesand"Siteidentifiers"canalsoincludewildcards(e.g."LogFiles\ra04*.ibl","<www.*.com>").
Examples:
FROMLogFiles\ra04*.ibl,LogFiles\ra03*.ibl,\\MyServer\LoggingShare\W3SVC\ra04*.ibl
Page 216
FROM<1>,<2>,<MyExternalSite>,raw9.ibl
FROM<www.net*home.com>,<//MyServer2/W3SVC/www.net*home.com>,<*>
©2004MicrosoftCorporation.Allrightsreserved.
Page 217
BINInputFormatFieldsTheinputrecordsgeneratedbytheBINinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthelogfilecontainingthisentry
LogRow INTEGER Lineinthelogfilecontainingthisentry
ComputerName STRING Thenameoftheserverthatservedtherequest
SiteID INTEGER TheIISvirtualsiteinstancenumberthatservedtherequest
DateTime TIMESTAMP Thedateandtimeatwhichtherequestwasserved(UniversalTimeCoordinates(UTC)time)
ClientIpAddress STRING TheIPaddressoftheclientthatmadetherequest
ServerIpAddress STRING TheIPaddressoftheserverthatservedtherequest
ServerPort INTEGER Theserverportnumberthatreceivedtherequest
Method STRING TheHTTPrequestverb
Page 218
ProtocolVersion STRING TheHTTPversionoftheclientrequest
ProtocolStatus INTEGER TheresponseHTTPstatuscode
SubStatus INTEGER TheresponseHTTPsub-statuscode
TimeTaken INTEGER Thenumberofmillisecondselapsedsincethemomenttheserverreceivedtherequesttothemomenttheserversentthelastresponsechunktotheclient
BytesSent INTEGER Thenumberofbytesintheresponsesentbytheserver
BytesReceived INTEGER Thenumberofbytesintherequestsentbytheclient
Win32Status INTEGER TheWindowsstatuscodeassociatedwiththeresponseHTTPstatuscode
UriStem STRING TheHTTPrequesturi-stem
UriQuery STRING TheHTTPrequesturi-query,orNULLiftherequestedURIdidnotincludeauri-query
UserName STRING Thenameoftheauthenticateduserthatmadetherequest,orNULLiftherequestwasfromananonymoususer
Page 219
©2004MicrosoftCorporation.Allrightsreserved.
Page 220
BINInputFormatExamplesTop20URL'sforaSiteCreateachartcontainingtheTOP20URL'sinthe"www.margiestravel.com"website(assumedtobeloggingintheCentralizedBinarylogformat):
LogParser"SELECTTOP20UriStem,COUNT(*)ASHitsINTOMyChart.gifFROM<www.margiestravel.com>GROUPBYUriStemORDERBYHitsDESC"-chartType:Column3D-groupSize:1024x768
©2004MicrosoftCorporation.Allrightsreserved.
Page 221
COMInputFormatTheCOMinputformatprovidesaninterfacetoCustomInputFormatCOMPlugins.
WiththeLogParsercommand-lineexecutable,CustomInputFormatCOMPluginsareusedthroughtheCOMinputformat.ThisinputformattakestheProgIDofthepluginCOMobjectasavalueoftheiProgIDparameter,anditprovidesaninterfaceforcommand-lineoperationstousethecustominputformat.
WiththeLogParserscriptableCOMcomponents,CustomInputFormatCOMPluginobjectscanbeuseddirectlyasargumentstotheExecuteorExecuteBatchmethodsoftheLogQueryobject.Forthisreason,theCOMinputformatisnotprovidedasaLogParserscriptableCOMcomponent.
From-EntitySyntaxFieldsParametersExamples
Seealso:CustomPluginsCOMInputFormatPluginsReference
©2004MicrosoftCorporation.Allrightsreserved.
Page 222
COMInputFormatFrom-EntitySyntaxThe<from-entity>specifiedinqueriesusingtheCOMinputformatisdeliveredas-istothecustominputformatCOMobjectasanargumenttotheOpenInputmethodoftheILogParserInputContextinterface,anditssyntaxandinterpretationisprovidedbythecustominputformatselected.The<from-entity>specifiedinqueriesusingtheCOMinputformatmusthoweverobeythegeneralsyntaxfor<from-entity>languageelements.
©2004MicrosoftCorporation.Allrightsreserved.
Page 223
COMInputFormatFieldsTheinputrecordsgeneratedbytheCOMinputformatcontainthefieldsprovidedbythecurrentlyselectedCustomInputFormatCOMplugin.
Thenumberoffields,theirnames,andtheirdatatypesareretrievedthroughtheGetFieldCount,GetFieldName,andGetFieldTypemethodsoftheILogParserInputContextinterface.
©2004MicrosoftCorporation.Allrightsreserved.
Page 224
COMInputFormatParametersTheCOMinputformatsupportsthefollowingparameters:
iProgID
Values: COMProgID
Default: notspecified
Description: ProgIDoftheCustomInputFormatCOMPlugin.
Details: Thisparameterisusedtospecifytheversion-independentProgIDofthecustominputformatCOMobjectselectedforthecurrentquery.
Example: -iProgID:MSUtil.LogQuery.Sample.QFEiCOMParams
Values: name=value[,name=value...]
Default: notspecified
Description: ParametersfortheCustomInputFormatCOMPlugin.
Details: Thevalueofthisparameterisacomma-separatedlistofname-valuepairsspecifyingpropertynamesandvaluesforCustomInputFormatCOMPluginsimplementedthroughtheIDispatchCOMinterface.Ifpropertynamesortheirvaluescontainspacecharacters,thevalueofthisparametershouldbesurroundedbydouble-quote(")characters.FormoreinformationoncustompropertiesexposedbyCOMplugins,seeCustomPropertiesintheCOMInputFormatPluginsreference.
Example: -iCOMParams:TargetMachine=localhost,ExtendedFields=on
Page 225
iCOMServer
Values: computername
Default: localhost
Description: ComputernameonwhichtheCustomInputFormatCOMPluginistobeinstantiated.
Details: PluginCOMobjectssupportingDistributedCOM(DCOM)canbeinstantiatedonaremotecomputer,thusprovidingameansforthecustominputformattoprocessdataonacomputerdifferentthanthecomputerrunningtheLogParserquery.
Example: -iCOMServer:MYSERVER01
©2004MicrosoftCorporation.Allrightsreserved.
Page 226
COMInputFormatExamplesQFEInformationReturnQFEinformationfromthelocalmachine,usingthe"QFE"sampleCustomInputFormatCOMPlugin:
LogParser"SELECT*FROM."-i:COM-iProgID:MSUtil.LogQuery.Sample.QFE-iCOMParams:ExtendedFields=on
©2004MicrosoftCorporation.Allrightsreserved.
Page 227
CSVInputFormatTheCSVinputformatparsescomma-separatedvaluestextfiles.
CSVtextfilesaregeneratedandhandledbyalargenumberofapplicationsandtools,including:
MicrosoftExcelPerfMonGenericspreadsheetapplications
InaCSVtextfile,eachlineconsistsofonerecord,andfieldsinarecordareseparatedbycommas.Dependingontheapplication,thefirstlineinaCSVfilemightbea"header",containingthelabelsoftherecordfields.ThefollowingexampleshowsaCSVfilebeginningwithaheader:
DateTime,PID,Comment5/28/200413:56:12,2956,Applicationstarted5/28/200413:59:02,2956,Waitingforinput5/28/200414:12:45,3104,Applicationstarted5/28/200415:24:42,1048,Applicationstarted
Moreover,fieldvaluesandlabelsmightbeenclosedwithindouble-quote(")characters,asshownbythefollowingPerfMonCSVlogfileexample:
"\\GAB1\Processor(_Total)\%ProcessorTime","\\GAB1\System\Processes""99.999993086289507","33""2.0000000000000018","33""1.0000000000000009","33""0.33333333333332993","33""0.33333333333332993","33""0","33""4.0000000000000036","33""4.3333333333333339","33"
From-EntitySyntaxFieldsParametersExamples
Seealso:TSVInputFormatCSVOutputFormat
Page 228
©2004MicrosoftCorporation.Allrightsreserved.
Page 229
CSVInputFormatFrom-EntitySyntax<from-entity> ::= <filename>[,<filename>...]|
http://<url>|STDIN
The<from-entity>specifiedinqueriesusingtheCSVinputformatiseither:
Acomma-separatedlistofpathsofCSVfiles,eventuallyincludingwildcards;TheURLofafileintheCSVformat;The"STDIN"keyword,whichspecifiesthattheinputdataisavailablefromtheinputstream(commonlyusedwhenpipingcommandexecutions).
Examples:
FROMLogFiles1\*.csv,LogFiles2\*.csv,\\MyServer\FileShare\*.csv
FROMhttp://www.microsoft.adatum.com/MyCSVFiles/example.csv
typedata.csv|LogParser"SELECT*FROMSTDIN"-i:CSV
©2004MicrosoftCorporation.Allrightsreserved.
Page 230
CSVInputFormatFieldsThestructureoftheinputrecordsgeneratedbytheCSVinputformatisdeterminedatruntime,dependingonthedatabeingparsed,andonthevaluesspecifiedfortheinputformatparameters.
Thefirsttwoinputrecordfieldsarefixed,andtheyaredescribedinthefollowingtable:
Name Type Description
Filename STRING Fullpathofthefilecontainingthisentry
RowNumber INTEGER Lineinthefilecontainingthisentry
ThesetwofieldsarethenfollowedbythefieldsdetectedbytheCSVinputformatintheCSVfile(s)beingparsed.Thenumber,names,anddatatypesofthefieldsaredeterminedbyexamininginitiallytheCSVdataaccordingtothevaluesspecifiedfortheinputformatparameters.
ThenumberoffieldsdetectedbytheCSVinputformatduringtheinitialinspectionphasedictateshowtheCSVrecordfieldswillbeextractedfromtheinputdataduringthesubsequentparsingstage.IfaCSVlinecontainslessfieldsthanthenumberoffieldsestablished,themissingfieldsarereturnedasNULLvalues.Ontheotherhand,ifaCSVlinecontainsmorefieldsthanthenumberoffieldsestablished,theextrafieldsareparsedasiftheywerepartofthevalueofthelastfieldexpectedbytheCSVinputformat.
NumberofFieldsThenumberoffieldsinaninputrecordisdeterminedbytheinputCSVdataandbythevaluesofthenFieldsandfixedFieldsparameters.
Whenthe"nFields"parameterissetto-1,theCSVinputformatdeterminesthenumberoffieldsbyinspectingtheinputCSVdata.
Page 231
Ifthe"fixedFields"parameterissetto"ON",indicatingthatalltherowsintheCSVfilehavethesamefixednumberoffields,thenthenumberoffieldsisdeterminedbyparsingeitherthefirstlineoftheCSVinputdata,orthefirstlineoftheheaderfilespecifiedwiththe"iHeaderFile"parameter.Ontheotherhand,ifthe"fixedFields"parameterissetto"OFF",indicatingthattherowsintheCSVfilehaveavariablenumberoffields,thenthenumberoffieldsisassumedtobethelargestnumberoffieldsfoundamongthefirstnlinesoftheCSVinputdata(eventuallyincludingthefirstlineoftheheaderfilespecifiedwiththe"iHeaderFile"parameter),wherenisthevalueofthe"dtLines"parameter.
Asanexample,thefollowingCSVfilecontainsavariablenumberoffields:
Name,City,AreaCodeJeff,Redmond,425Steve,Seattle,206,98101Edward,Olympia,360Whenparsedwiththe"nFields"parametersetto-1andthe"fixedFields"parametersetto"ON",thisCSVfilewouldyieldthreefields("Name","City",and"AreaCode").Inthiscase,theextrafourthfieldinthesecondrecordwouldbeparsedaspartofthethird"AreaCode"field,whosevaluewouldthenbe"206,98101".Ontheotherhand,ifthe"fixedFields"parameterissetto"OFF",andthe"dtLines"parameterissettoanyvaluegreaterthan2,thenthesameCSVfilewouldyieldfourfields("Name","City","AreaCode",andanadditionalfourthfielddetectedinthesecondCSVrecord).Inthiscase,thefirstandthirdrecordswouldhaveaNULLvalueforthefourthfield,andthesecondrecordwouldhavea"98101"valueforthefourthfield.
Whenthe"nFields"parameterissettoavaluegreaterthanzero,theCSVinputformatusesthespecifiedvalueasthenumberoffieldsintheinputdata.However,ifthe"fixedFields"parameterissetto"OFF",indicatingthattherowsintheCSVfilehaveavariablenumberoffields,thentheCSVinputformatusesthevalueofthe"nFields"parameterasa"suggestedminimum"numberoffields,anditexaminesthefirstnlinesoftheCSV
Page 232
inputdata(eventuallyincludingthefirstlineoftheheaderfilespecifiedwiththe"iHeaderFile"parameter),wherenisthevalueofthe"dtLines"parameter,todeterminethenumberoffieldsamongtheselines.Iflinesarefoundcontainingmorefieldsthanthevaluespecifiedforthe"nFields"parameter,thenthenumberoffieldsisadjustedtothelargestnumberoffieldsfoundamongthefirstnlines.
ConsideringagainthepreviousCSVexamplefile,parsingthefilewiththe"nFields"parametersetto3andthe"fixedFields"parametersetto"ON"wouldyieldthreefields.However,settingthe"fixedFields"parameterto"OFF"andthe"dtLines"parametertoanyvaluegreaterthan2wouldyieldfourfields,detectingtheextrafieldinthesecondrecord.
FieldNamesThenamesofthefieldsinaninputrecordisdeterminedbytheinputCSVdataandbythevaluesoftheheaderRowandiHeaderFileparameters.
Whenthe"headerRow"parameterissetto"ON",theCSVinputformatassumesthatthefirstlineintheCSVfilebeingparsedisaheadercontainingthefieldnames.Inthiscase,ifthe"iHeaderFile"parameterisleftunspecified,theCSVinputformatextractsthefieldnamesfromtheheaderline.Ontheotherhand,ifthe"iHeaderFile"parameterissettothepathofaCSVfilecontainingatleastoneline,thentheCSVinputformatassumesthatthespecifiedfilecontainsaheader,parsesitsfirstlineonly,andextractsthefieldnamesfromthisline,ignoringthefirstlineoftheCSVfilebeingparsed.
Ifthenumberoffieldnamesextractedislessthanthenumberoffieldsdetected,theadditionalfieldsareautomaticallynamed"FieldN",withNbeingaprogressiveindexindicatingthefieldpositionintheinputrecord.
ConsideringthepreviousexampleCSVfile,settingthe"headerRow"parameterto"ON"wouldcausetheCSVinputformattousethefirstlineoftheCSVfileasaheadercontainingthefieldnames.Withthe"fixedFields"parametersetto"ON",theCSVinputformatwoulddetectthreefields,whosenameswouldbe"Name","City",and
Page 233
"AreaCode".Ontheotherhand,withthe"fixedFields"parametersetto"OFF",theCSVinputformatwoulddetectfourfields,named"Name","City","AreaCode",and"Field4".
Whenthe"headerRow"parameterissetto"OFF",theCSVinputformatassumesthattheCSVfilebeingparseddoesnotcontainaheader,andthatitsfirstlineisthefirstdatarecordinthefile.Inthiscase,ifthe"iHeaderFile"parameterissettothepathofaCSVfilecontainingatleastoneline,thentheCSVinputformatassumesthatthespecifiedfilecontainsaheader,parsesitsfirstlineonly,andextractsthefieldnamesfromthisline.Ontheotherhand,ifthe"iHeaderFile"parameterisleftunspecified,thefieldsareautomaticallynamed"FieldN",withNbeingaprogressivenumberindicatingthefieldpositionintheinputrecord.
Asanexample,thefollowingCSVfiledoesnotcontainaheaderline:
Jeff,Redmond,425Steve,Seattle,206Edward,Olympia,360Whenparsedwiththe"headerRow"parameterto"OFF",theCSVinputformatassumesthatthefirstlineoftheCSVfileisthefirstdatarecordinthefile.Inthiscase,thethreefieldswouldbenamed"Field1","Field2",and"Field3".
FieldTypesThedatatypeofeachfieldextractedfromtheinputdataisdeterminedbyexaminingthefirstnCSVdatalines,wherenisthevaluespecifiedforthedtLinesparameter,inthefollowingway:Ifallthenon-emptyfieldvaluesinthefirstnlinesareformattedasdecimalnumbers,thenthefieldisassumedtobeoftheREALtype.Ifallthenon-emptyfieldvaluesinthefirstnlinesareformattedasintegernumbers,thenthefieldisassumedtobeoftheINTEGERtype.Ifallthenon-emptyfieldvaluesinthefirstnlinesareformattedastimestampsintheformatspecifiedbytheiTsFormatparameter,thenthefieldisassumedtobeoftheTIMESTAMPtype.Otherwise,thefieldisassumedtobeoftheSTRINGtype.
Page 234
EmptyfieldvaluesarereturnedasNULLvalues.
©2004MicrosoftCorporation.Allrightsreserved.
Page 235
CSVInputFormatParametersTheCSVinputformatsupportsthefollowingparameters:
headerRow
Values: ON|OFF
Default: ON
Description: SpecifieswhetherornottheinputCSVfile(s)beginwithaheaderline.
Details: Whenthisparameterissetto"ON",theCSVinputformatassumesthateachfilebeingparsedbeginswithaheaderline,containingthelabelsofthefieldsinthefile.Ifthe"iHeaderFile"parameterisleftunspecified,theCSVinputformatwillusethefieldnamesinthefirstfile'sheaderasthenamesoftheinputrecordfields.Ifavalueisspecifiedforthe"iHeaderFile"parameter,theCSVinputformatwillignoretheheaderlineineachfilebeingparsed.Whenthisparameterissetto"OFF",theCSVinputformatassumesthatthefile(s)beingparseddonotcontainaheader,andparsestheirfirstlineasdatarecords.Formoreinformationonheadersandfieldnames,seeCSVInputFormatFields.
Example: -headerRow:OFFiHeaderFile
Values: pathtoaCSVfile
Default: notspecified
Description: Filecontainingfieldnames.
Details: WhenparsingCSVfilesthatdonotcontainaheader
Page 236
line,thefieldsoftheinputrecordsproducedbytheCSVinputformatarenamed"Field1","Field2",...Tooverridethisbehaviorandusemeaningfulfieldnames,thisparametercanbesettotothepathofaCSVfilecontainingaheaderline,causingtheCSVinputformattousethefieldnamesinthespecifiedCSVfile'sheaderlineasthenamesoftheinputrecordfields.OnlythefirstlineofthespecifiedCSVfileisparsed,andeventualadditionallinesareignored.Formoreinformationonheadersandfieldnames,seeCSVInputFormatFields.
Example: -iHeaderFile:"C:\MyFolder\header.csv"fixedFields
Values: ON|OFF
Default: ON
Description: SpecifieswhetherornotalltherecordsintheinputCSVfile(s)haveafixednumberoffields.
Details: Whenthisparameterissetto"ON",theCSVinputformatassumesthatthenumberoffieldsinalltheinputCSVrecordsequalsthenumberoffieldsfoundinthefirstCSVlineparsed,orthenumberoffieldsspecifiedforthe"nFields"parameter.Whenthisparameterissetto"OFF",theCSVinputformatassumesthattheinputCSVrecordshaveavariablenumberoffields,anditparsesthefirstnlinesoftheinputCSVdatatodeterminethemaximumnumberoffieldsintherecords,wherenisthevaluespecifiedforthe"dtLines"parameter.Formoreinformationonhowthenumberoffieldsisdetermined,seeCSVInputFormatFields.
Example: -fixedFields:OFF
Page 237
nFields
Values: numberoffields(number)
Default: -1
Description: NumberoffieldsintheCSVdatarecords.
Details: Whenthe"fixedFields"parameterissetto"ON",thisparameterspecifiesthenumberoffieldsintheinputCSVdata.Whenthe"fixedFields"parameterissetto"OFF",thisparameterspecifiestheminimumnumberoffieldsintheinputCSVdata.Ifthefirstnlinesofinputdatacontainmorefieldsthanthespecifiednumberoffields,wherenisthevalueofthe"dtLines"parameter,thenthenumberoffieldsisassumedtobethemaximumnumberoffieldsfoundwithinthenlinesofdata.Thespecial"-1"valuespecifiesthatthenumberoffieldsistobedeductedbyinspectingthefirstnlinesofinputdata,wherenisthevalueofthe"dtLines"parameter.Formoreinformationonhowthenumberoffieldsisdetermined,seeCSVInputFormatFields.
Example: -nFields:3dtLines
Values: numberoflines(number)
Default: 10
Description: Numberoflinesexaminedtodeterminenumberoffieldsandfieldtypesatruntime.
Details: ThisparameterspecifiesthenumberofinitiallinesthattheCSVinputformatexaminestodeterminethenumberoftheinputrecordfieldsandthedatatypeofeachfield.
Page 238
Ifthevalueis0,allfieldswillbeassumedtobeoftheSTRINGdatatype.Formoreinformationonhowthenumberoffieldsandtheirdatatypesaredetermined,seeCSVInputFormatFields.
Example: -dtLines:50iDQuotes
Values: Auto|Ignore
Default: Auto
Description: Behaviorwithdouble-quotedfields.
Details: Whenthisparameterissetto"Auto"andafieldvalueisenclosedwithindouble-quotecharacters("),theCSVinputformatparsesthefieldignoringcommacharacters(,)withinthedouble-quotes,andreturnstheenclosedvaluestrippingoffthesurroundingdouble-quotecharacters.Whensetto"Ignore",theCSVinputformatdoesnotperformanydouble-quoteprocessing,andfieldvaluesarereturnedverbatim,includingdouble-quotecharacters.
Example: -iDQuotes:IgnorenSkipLines
Values: numberoflines(number)
Default: 0
Description: Numberofinitiallinestoskip.
Details: Whenthisparameterissettoavaluegreaterthanzero,theCSVinputformatskipsthefirstnlinesofeachinputfilebeforeparsingitsheaderline,wherenisthevaluespecifiedforthisparameter.
Page 239
Example: -nSkipLines:5comment
Values: anystring
Default: notspecified
Description: Skiplinesbeginningwiththisstring.
Details: Whenthisparameterissettoanon-emptystring,theCSVinputformatskipsalltheinputCSVlinesthatbeginwiththisstring.
Example: -comment:"MetaData:"iCodepage
Values: codepageID(number)
Default: 0
Description: CodepageoftheCSVfile.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -iCodepage:1245iTsFormat
Values: timestampformat
Default: yyyy-MM-ddhh:mm:ss
Description: FormatoftimestampvaluesintheinputCSVdata.
Details: Thisparameterspecifiesthedateand/ortimeformatusedintheCSVdatabeingparsed.ValuesoffieldsmatchingthespecifiedformatarereturnedasvaluesoftheTIMESTAMPdatatype.Formoreinformationondateandtimeformats,seeTimestampFormat
Page 240
Specifiers.
Example: -iTsFormat:"MMMdd,yyyy"iCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessneweventsthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 241
CSVInputFormatExamplesAverageProcessorUsageperMinuteParseaPerfMonCSVlogfileandcalculatetheaverageprocessorusageperminute:
LogParser"SELECTQUANTIZE([(PDH-CSV4.0)(PacificDaylightTime)(420)],60)ASMinute,AVG([\\GAB1\Processor(_Total)\%ProcessorTime])ASAVGProcessorFROMPerfMon_000001.csvGROUPBYMinute"-i:CSV-iTsFormat:"MM/dd/yyyyhh:mm:ss.ll"
©2004MicrosoftCorporation.Allrightsreserved.
Page 242
ETWInputFormatTheETWinputformatparsesEnterpriseTracingforWindowstracelogfiles(.etlfiles)andliveETWtracesessions.
EnterpriseTracingforWindows(ETW)isaframeworkforimplementingtracingprovidersthatcanbeusedfordebuggingandcapacityplanning.AnETWtracelogorlivesessionconsistsofastreamof"Events",eachpublishedbya"Provider".WindowseventprovidersincludetheKernel,IIS,COM+,andmanyotherWindowscomponents.Eacheventhasitsownsetofnamedproperties,orfields,containingtheeventdata.ThestructureofeacheventisdescribedbyaWMIclassderivedfromthe"EventTrace"classandregisteredwiththeWMIrepositoryduringthesetupoftheprovidercomponent.TheETWinputformatqueriestheWMIrepositoryfortheseclassesinordertoretrieveinformationaboutthestructureofeachevent.
ETWtracelogfilesandlivesessionscanbecontrolledthrougheitherthePerfMonutility,orthroughthetracelog.exeorlogman.execommand-linetools.
From-EntitySyntaxFieldsParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 243
ETWInputFormatFrom-EntitySyntax<from-entity> ::= <etl_file_name>[,<etl_file_name>...]|
<live_session_name>
The<from-entity>specifiedinqueriesusingtheETWinputformatcanassumeoneofthefollowingvalues:
Acomma-separatedlistofpathsto.etlETWtracelogfiles;ThenameofanETWlivetracingsession.
Examples:
FROMMyTrace1.etl,MyTrace2.etl,MyTrace3.etl
FROM\\COMPUTER01\TraceFiles\MyTrace.etl,\\COMPUTER02\TraceFiles\MyTrace.etlFROMMyLiveSession
©2004MicrosoftCorporation.Allrightsreserved.
Page 244
ETWInputFormatFieldsThestructureoftheinputrecordsgeneratedbytheETWinputformatisdeterminedatruntime,dependingontheETWtracebeingparsed,andonthevaluespecifiedforthefMode("fieldmode")parameter,whichcanbesetto"Compact","FNames","Full",or"Meta".
CompactFieldModeWhenthe"fMode"parameterissetto"Compact",theETWinputformatgeneratesaninputrecordforeacheventinthetracebeingparsed.Inthismode,inputrecordscontainfourfieldscommontoalltheevents,plusanadditional"UserData"fieldcontainingthevaluesofallthepropertiesspecifictotheeventbeingprocessed,concatenatedintoasinglestringvalueusingthecharacterspecifiedforthecompactModeSepparameterasaseparatorbetweenthevalues.Thefollowingtableshowsthefieldsoftheinputrecordsgeneratedinthe"Compact"fieldmode:
Name Type Description
EventNumber INTEGER Indexofthiseventinthetracebeingparsed
EventName STRING Nameoftheevent
EventTypeName STRING Nameoftheeventtype
Timestamp TIMESTAMP Dateandtimeatwhichtheeventwastraced
UserData STRING Event-specificpropertyvalues
Thefollowingexampleshowssomesample"UserData"fieldvalues
Page 245
generatedinthe"Compact"fieldmode:
UserData----------------------------------------------------DefaultAppPool|0|http://localhost:80/|GET{00000000-0000-0000-1200-0060000000fc}|/DefaultAppPool|0|http://localhost:80/default.htm|GET
The"Compact"fieldmodeprovidesaneasilyreadablewaytodisplaytheeventscontainedinanETWtrace,butqueriesoperatinginthismodecannotreferencepropertiesofaspecificevent.
FNamesFieldModeThe"FNames"fieldmodeoperatessimilartothe"Compact"fieldmode,buteachpropertyvalueinthe"UserData"fieldisprecededbythenameofthepropertyforbetterreadability.
Thefollowingexampleshowssomesample"UserData"fieldvaluesgeneratedinthe"FNames"fieldmode:
UserData-----------------------------------------------------------------------------------------------AppPoolId=DefaultAppPool|RawConnId=0|RequestURL=http://localhost:80/|RequestVerb=GETContextId={00000000-0000-0000-1200-0060000000fc}|RequestURL=/AppPoolId=DefaultAppPool|RawConnId=0|RequestURL=http://localhost:80/default.htm|RequestVerb=GET
FullFieldModeIn"Full"fieldmode,theETWinputformatgeneratesaninputrecordforeacheventinthetracebeingparsed.Inthismode,inputrecordscontainafieldforeachpropertyofeacheventgeneratedbytheprovidersinthetracebeingparsed.
Whenoperatingin"Full"fieldmode,theETWinputformatworkswithatwo-stageapproach.Duringthefirststage,theETWinputformatexaminestheinputtracetodeterminewhichprovidershaveloggedeventsinthetracebeingparsed.Whentheprovidersparameterisleftunspecified,theETWinputformatpre-processesanumberofeventsequaltothevaluespecifiedforthedtEventsLogordtEventsLiveparameters,dependingonwhetherornotthetracebeingparsedisatracelogfileoralivetracesession.Afterparsingtheseinitialevents,theETWinputformatassumesthatthetrace
Page 246
beingparsedcontainsalltheeventsthatcanbeloggedbytheprovidersfoundamongtheseinitialevents.Ontheotherhand,whenthe"providers"parameterissettoeitheracomma-separatedlistofprovidernamesorGUIDsortothepathtoatextfilecontainingalistofprovidernamesorGUIDs,theETWinputformatassumesthatthetracebeingparsedcontainsalltheeventsthatcanbeloggedbythespecifiedproviders.
Oncethesetofprovidersloggingintheinputtracehasbeenidentified,theETWinputformat"constructs"theinputrecordstructure.Thefirst20inputrecordfieldsarecommontoalltheevents,andtheyaredescribedinthefollowingtable:
Name Type Description
TraceName STRING Tracefileorsessionnamecontainingthisevent
EventNumber INTEGER Indexofthiseventinthetracebeingparsed
Timestamp TIMESTAMP Dateandtimeatwhichtheeventwastraced
InstanceID INTEGER InstanceIDfieldofthisevent
ParentInstanceID INTEGER ParentInstanceIDfieldofthisevent
ParentGUID STRING ParentGUIDfieldofthisevent
ProviderDescription STRING Nameoftheproviderofthisevent
Page 247
ProviderGUID STRING GUIDoftheproviderofthisevent
EventName STRING Nameofthisevent
EventDescription STRING Descriptionofthisevent
EventVersion INTEGER Versionofthisevent
EventGUID STRING GUIDofthisevent
EventType INTEGER Typeofthisevent
EventTypeName STRING Nameofthiseventtype
EventTypeDescription STRING Descriptionofthiseventtype
EventTypeLevel INTEGER Levelofthiseventtype
ThreadID INTEGER IDofthethreadthatloggedthisevent
ProcessID INTEGER IDoftheprocessthatloggedthisevent
KernelTime INTEGER Elapsedexecutiontimeforkernelmodeinstructions,inCPUticks
UserTime INTEGER Elapsedexecutiontimeforusermodeinstructions,inCPUticks
These20fieldsarethenfollowedbytheunionofallthepropertiesofall
Page 248
theeventsthatcanbeloggedbytheprovidersidentifiedduringthisstage.
Duringthesecondstage,theETWinputformatparsesthetraceeventsfrombeginningtoend,generatinganinputrecordforeachevent.Foranygivenevent,onlythefirst20inputrecordfieldsandthefieldscorrespondingtotheeventpropertiesarepopulatedwithavalue;alltheotherinputrecordfieldscorrespondingtopropertiesofothereventsaresettoNULLvalues.
Thefollowingsampleoutputshowsselectedfieldsfromtheinputrecordsgeneratedwhenparsingthepreviousexamplein"Full"fieldmode:
AppPoolIdRawConnIdContextIdRequestURLRequestVerb-------------------------------------------------------------------------------------------------------DefaultAppPool0-http://localhost:80/GET--{00000000-0000-0000-1200-0060000000fc}/-DefaultAppPool0-http://localhost:80/default.htmGET
Queriesoperatingin"Full"modecanrefertoindividualpropertiesofevents,buttheinputrecordsgeneratedcontaintoomanyfieldsfortheresultstobeeailyredable.
MetaFieldModeIn"Meta"fieldmode,theETWinputformatreturnsmeta-informationaboutevents,generatinganinputrecordforeachpropertyofeacheventthatcanbeloggedbyeachproviderinthetrace(s)beingparsed.Inputrecordscontainmeta-dataabouttheeventproperties,includinginformationaboutthepropertytype,informationabouttheeventcontainingtheproperty,andinformationabouttheprovidergeneratingtheevent.
The"Meta"fieldmodeemploysatwo-stageparsingschemasimilartothe"Full"fieldmode.Duringthefirststage,theETWinputformatpre-processestheinputtracetodeterminethesetofprovidersthatgeneratedeventsinthetrace.Inthismode,however,oncethesetofprovidershasbeenidentified,theETWinputformatdoesnotprocessthetrace,butratherreturnstheeventmeta-informationpopulatingtheinputrecordfieldsdescribedinthefollowingtable:
Page 249
Name Type Description
ProviderDescription STRING Descriptionoftheprovider
ProviderClassName STRING WMIclassnameoftheprovider
ProviderGUID STRING GUIDoftheprovider
EventName STRING Nameoftheevent
EventDescription STRING Descriptionoftheevent
EventVersion INTEGER Versionoftheevent
EventClassName STRING WMIclassnameoftheevent
EventGUID STRING GUIDoftheEvent
EventType INTEGER Typeoftheevent
EventTypeName STRING Nameoftheeventtype
EventTypeDescription STRING Descriptionoftheeventtype
EventTypeClassName STRING WMIclassnameoftheeventtype
EventTypeLevel INTEGER Leveloftheeventtype
FieldName STRING Nameofthiseventfield
FieldDescription STRING Descriptionofthiseventfield
FieldIndex INTEGER Indexofthisfieldamongtheevent'sfields
Page 250
FieldType STRING WMItypeofthisfield
©2004MicrosoftCorporation.Allrightsreserved.
Page 251
ETWInputFormatParametersTheEVTinputformatsupportsthefollowingparameters:
fMode
Values: Full|Compact|FNames|Meta
Default: FNames
Description: Operationmode.
Details: ThisparameterspecifieshowtheETWinputformatshouldreturntheinformationcontainedinthetrace(s)beingparsed.Formoreinformationonthedifferentfieldmodes,seeETWInputFormatFields.
Example: -fMode:Fullproviders
Values: filenameorcomma-separatedlistofprovidernamesorGUIDs
Default: notspecified
Description: Listofprovidersforthe"Full"or"Meta"fieldmodes.
Details: Thisparameterspecifiesthesetofprovidersloggingtotheinputtrace(s)toallowthe"Full"or"Meta"fieldmodestoearlydetecttheproviderstoprocess.Thevalueofthisparametercaneitherbythepathtoatextfilecontainingtheproviders'GUIDs(inthesameformatacceptedbythe"pf"argumentofthelogman.exetool),oracomma-separatedlistofprovidernamesorGUIDs.IfthisparameterisnotspecifiedwhentheETWinputformatoperatesin"Full"or"Meta"fieldmode,thenthesetofproviderswillbedetectedbypre-processingthefirstnevents,wherenisthevaluespecifiedforthe
Page 252
"dtEventsLog"or"dtEventsLive"parameters.Formoreinformationaboutthedifferentfieldmodes,seeETWInputFormatFields.
Examples: -providers:MyProviders.guid -providers:"IIS:WWWServer,IIS:ActiveServerPages
(ASP)"dtEventsLog
Values: numberofevents(number)
Default: 3000
Description: Numberoftracelogfileeventsexaminedtodetectthesetofprovidersin"Full"or"Meta"fieldmodes.
Details: ThisparameterspecifiesthenumberofinitialeventsthattheETWinputformatexaminestodetectthesetofproviderslogginginaninputtracelogfilewhenoperatinginthe"Full"or"Meta"fieldmodes.Thevalueofthisparameterisonlyusedwhenthe"providers"parameterisleftunspecified.Formoreinformationaboutthedifferentfieldmodes,seeETWInputFormatFields.
Example: -dtEventsLog:100dtEventsLive
Values: numberofevents(number)
Default: 20
Description: Numberoflivetracesessioneventsexaminedtodetectthesetofprovidersin"Full"or"Meta"fieldmodes.
Details: ThisparameterspecifiesthenumberofinitialeventsthattheETWinputformatexaminestodetectthesetofproviderslogginginaninputlivetracesessionwhen
Page 253
operatinginthe"Full"or"Meta"fieldmodes.Thevalueofthisparameterisonlyusedwhenthe"providers"parameterisleftunspecified.Formoreinformationaboutthedifferentfieldmodes,seeETWInputFormatFields.
Example: -dtEventsLive:100flushPeriod
Values: milliseconds
Default: 500
Description: Numberofmillisecondsbetweenlivetracesessionflushes.
Details: Whenprocessingalivetracesession,theinternalbufferingmechanismsoftheETWinfrastructuremightcauseeventstoappearwithanoticeabledelay.ThisparameterspecifieshowoftentheETWinputformatshouldforceabufferflushtoretrievereal-timeevents.
Example: -flushPeriod:2000ignoreEventTrace
Values: ON|OFF
Default: ON
Description: IgnoreEventTraceevents.
Details: Theveryfirsteventinanytracesessionisthe"EventTrace"event,whichcontainsmeta-dataaboutthetracesession.ThisparameterspecifieswhetherornotthiseventshouldbeprocessedandreturnedbytheETWinputformat.
Example: -ignoreEventTrace:OFF
Page 254
compactModeSep
Values: anystring
Default: |
Description: Separatorbetweenthevaluesofthe"UserData"fieldinthe"Compact"or"FNames"fieldmodes.
Details: Whenoperatinginthe"Compact"or"FNames"fieldmodes,the"UserData"fieldcontainsallthepropertiesoftheeventbeingprocessedconcatenatedoneaftertheother,usingthevalueofthisparameterasaseparatorbetweentheelements.
Example: -compactModeSep:,expandEnums
Values: ON|OFF
Default: ON
Description: Expandenumerationeventproperties.
Details: ManyETWeventscontainnumericpropertieswhosevaluesdescribeenumerations.Thisparameterspecifieswhetherornotthenumericvaluesofpropertiesofthistypeshouldbeexpandedtoreturnthetextrepresentationoftheenumerationvalues.
Example: -expandEnums:OFFignoreLostEvents
Values: ON|OFF
Default: ON
Description: Ignorelostevents.
Page 255
Details: ETWtracescontaininformationabouteventsthatmighthavebeenlostduringthetracingsession.Ifthisparameterissetto"OFF"andtheinputtraceindicatesthepresenceoflostevents,theETWinputformatgeneratesawarningwhenthetracehasbeencompletelyprocessedshowingthenumberofeventsthathavebeenlost.
Example: -ignoreLostEvents:OFFschemaServer
Values: computername
Default: notspecified
Description: Nameofcomputerwitheventschemainformation.
Details: ThisparameterspecifiesthenameofthecomputerwhoseWMIrepositorycontainstheschemainformationfortheeventsbeingparsed.Whenthisparameterisnotspecified,theETWinputformatconnectstothecomputerspecifiedinthefrom-entityifparsingatracefilefromaremotecomputer,ortothelocalcomputerifparsingalocaltracefileorlivetracingsession.
Example: -schemaServer:MYCOMPUTER02
©2004MicrosoftCorporation.Allrightsreserved.
Page 256
ETWInputFormatExamplesParsinganIIS6.0ETWTraceLogFileThisexampleshowshowtostartatracesessioncontainingeventsfromtheIIS6.0providers,howtostopthesession,andhowtoparsetheresultingtracelogfile.TheexamplecommandsshownhereapplytoWindowsServer2003.
1. ListtheGUIDsoftheprovidersregisteredwiththesystemusingthefollowingcommandfromacommand-linewindow:
C:\>logmanqueryproviders
Theoutputofthiscommandwilllooklikethefollowingsample:
ProviderGUID-------------------------------------------------------------------------------IIS:WWWGlobal{d55d3bc9-cba9-44df-827e-132d3a4596c2}ACPIDriverTraceProvider{dab01d4d-2d48-477d-b1c3-daad0ce6f06b}ActiveDirectory:Kerberos{bba3add2-c229-4cdb-ae2b-57eb6966b0c4}IIS:SSLFilter{1fbecc45-c060-4e7c-8a0e-0dbd6116181b}IIS:RequestMonitor{3b7b0b4b-4b01-44b4-a95e-3c755719aebf}IIS:WWWServer{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}IIS:ActiveServerPages(ASP){06b94d9a-b15e-456e-a4ef-37c984a2cb4b}LocalSecurityAuthority(LSA){cc85922f-db41-11d2-9244-006008269001}IIS:IISADMINGlobal{DC1271C2-A0AF-400f-850
2. Identifytheprovidersneededforthetracesession;inthisexample,thetracesessionwillbeenabledforthe"IIS:WWWServer"and"IIS:ActiveServerPages(ASP)"providers.
3. CreateatextfilecontainingtheGUIDofeachselectedprovideronaline,followedbythetracingflagsandtracinglevelvaluesfortheprovider.Formoreinformationontheavailableflagsandlevelsforaprovider,consultthecomponentdocumentation.Thefollowingexampleshowsatextfilenamed"MyProviders.guid"containingthe"IIS:WWWServer"and"IIS:ActiveServerPages(ASP)"providers:
{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}0xfffffffe5{06b94d9a-b15e-456e-a4ef-37c984a2cb4b}0xffffffff5
4. Startthetracingsessionusingtheproviderstextfileastheargumentofthe"-pf"logmancommand-lineparameter:
Page 257
C-4E42FE16BE1C}WindowsKernelTrace{9e814aad-3204-11d2-9a82-006008a86939}ASP.NETEvents{AFF081FE-0247-4275-9C4E-021F3DC1DA35}NTLMSecurityProtocol{C92CF544-91B3-4dc0-8E11-C580339A0BF8}IIS:WWWIsapiExtension{a1c2040e-8840-4c31-ba11-9871031a19ea}ActiveDirectory:SAM{8e598056-8993-11d2-819e-0000f875a064}HTTPServiceTrace{dd5ef90a-6398-47a4-ad34-4dcecdef795f}ActiveDirectory:NetLogon{f33959b4-dbec-11d2-895b-00c04f79ab69}SpoolerTraceControl{94a984ef-f525-4bf1-be3c-ef374056a592}
Thecommandcompletedsuccessfully.
C:\>logmanstartExampleTrace-pfMyProviders.guid-ets
5. Thetracingsessionhasnowstarted,andtheselectedproviderswillbeloggingeventsforeachrequesttotheIISWebServer.
6. Whendesired,thetracingsessioncanbestoppedwiththefollowingcommand:
C:\>logmanstopExampleTrace-ets
7. Afterthetracingsessionhasbeenstopped,theETWtracelogfilenamed"ExampleTrace.etl"isavailableforuse.ThefollowingLogParsercommandparsestheETWtracelogfileanddisplaystheloggedevents:
C:\>LogParser"SELECT*FROMExampleTrace.etl"-i:ETW
Theoutputofthiscommandwilllooklikethefollowingsample:
EventNumberEventNameEventTypeNameTimestampUserData--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------2IISGeneralGENERAL_REQUEST_START2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}|SiteId=1|AppPoolId=DefaultAppPool|ConnId=-288230375077969904|RawConnId=0|RequestURL=http://localhost:80/|RequestVerb=GET3IISFilterFILTER_START2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll4IISFilterFILTER_PREPROC_HEADERS_START2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-12
ParsingaliveIIS6.0ETWTraceSessionThisexampleshowshowtostartalivetracesessioncontainingeventsfromtheIIS6.0providers,howtostartaLogParsercommandthatshowstheeventsinreal-time,andhowtostopthesession.TheexamplecommandsshownhereapplytoWindowsServer2003.
1. Executesteps1-3fromtheexampleabove.4. Startthetracingsessionusingtheproviderstextfileasthe
argumentofthe"-pf"logmancommand-lineparameter,specifyingalsothe"-rt"flagtoenableareal-timetracingsession:
C:\>logmanstartExampleTrace-pfMyProviders.guid-ets-rt
Page 258
00-0060000000fc}5IISFilterFILTER_PREPROC_HEADERS_END2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}6IISFilterFILTER_END2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}7IISFilterFILTER_START2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\ProgramFiles\CommonFiles\MicrosoftShared\WebServerExtensions\50\bin\fpexedll.dll8IISFilterFILTER_PREPROC_HEADERS_START2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}9IISFilterFILTER_PREPROC_HEADERS_END2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}10IISFilterFILTER_END2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}11IISCacheURL_CACHE_ACCESS_START2004-10-1420:27:26.624.399000ContextId={00000000-0000-0000-1200-0060000000fc}|RequestURL=/
5. Thetracingsessionhasnowstarted,andtheselectedproviderswillbeloggingeventsforeachrequesttotheIISWebServer.
6. Fromaseparatecommand-lineshellwindow,executethefollowingLogParsercommandtoparsethelivetracingsessioninreal-time:
C:\>LogParser"SELECT*FROMExampleTrace"-i:ETW
ThisLogParsercommandwilloutputthetraceeventsindefinitely,untilthecommandismanuallyaborted,oruntilthetracingsessionisstopped.
7. Whendesired,thetracingsessioncanbestoppedwiththefollowingcommand:
C:\>logmanstopExampleTrace-ets
©2004MicrosoftCorporation.Allrightsreserved.
Page 259
EVTInputFormatTheEVTinputformatreturnseventsfromtheWindowsEventLogandfromEventLogbackupfiles(.evtfiles).
ThisinputformatreadseventinformationfromtheWindowsEventLog,includinglocalandremoteSystem,Application,Security,andcustomeventlogs,aswellasfromEventLogbackupfiles.
From-EntitySyntaxFieldsParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 260
EVTInputFormatFrom-EntitySyntax<from-entity> ::= <event_log>[,<event_log>...]
<event_log> ::= [\\<computer_name>\]<event_log_name>|<event_log_backup_filename>
The<from-entity>specifiedinqueriesusingtheEVTinputformatisacomma-separatedlistof:
NamesofEventLogs("System","Application","Security",oracustomeventlog),optionallyprecededbythenameofaremotecomputerintheUNCnotation;PathsofEventLogbackupfiles(.evtfiles),optionallyincludingwildcards.
Namesofcustomeventlogsthatincludespacecharactersmustbespecifiedwithinsingle-quotecharacters.
Examples:
FROMSystem,Application,\\SERVER2\System,\\SERVER2\Application
FROMSystem,Application,'MyCustomEventLog'
FROMD:\MyEVTLogs\*.evt,\\SERVER2\D$\MyEVTLogs\*.evt
FROMSystem,D:\MyEVTLogs\System.evt
©2004MicrosoftCorporation.Allrightsreserved.
Page 261
EVTInputFormatFieldsTheinputrecordsgeneratedbytheEVTinputformatcontainthefollowingfields:
Name Type Description
EventLog STRING NameoftheEventLogorEventLogbackupfilecontainingthisevent
RecordNumber INTEGER IndexofthiseventintheEventLogorEventLogbackupfilecontainingthisevent
TimeGenerated TIMESTAMP Thedateandtimeatwhichtheeventwasgenerated(localtime)
TimeWritten TIMESTAMP Thedateandtimeatwhichtheeventwaslogged(localtime)
EventID INTEGER TheIDoftheevent
EventType INTEGER Thenumerictypeoftheevent
EventTypeName STRING Thedescriptivetypeoftheevent
EventCategory INTEGER Thenumericcategoryofthe
Page 262
event
EventCategoryName STRING Thedescriptivecategoryoftheevent
SourceName STRING Thesourcethatgeneratedtheevent
Strings STRING Thetextualdataassociatedwiththeevent
ComputerName STRING Thenameofthecomputeronwhichtheeventwasgenerated
SID STRING TheSecurityIdentifierassociatedwiththeevent
Message STRING Thefulleventmessage
Data STRING Thebinarydataassociatedwiththeevent
©2004MicrosoftCorporation.Allrightsreserved.
Page 263
EVTInputFormatParametersTheEVTinputformatsupportsthefollowingparameters:
fullText
Values: ON|OFF
Default: ON
Description: Retrievethefulltextmessage.
Details: Thisparameterenables/disablestheretrievalofEventLogtextmessages.
Example: -fullText:OFFresolveSIDs
Values: ON|OFF
Default: OFF
Description: ResolveSIDvaluesintofullaccountnames.
Details: Whensetto"ON",thisparametercausestheEVTinputformattoperformanaccountnamelookupforeachSIDvalueintheeventsbeingparsed,andreturntheaccountnameinsteadoftheSIDalphanumericalvalue.
Example: -resolveSIDs:ONformatMsg
Values: ON|OFF
Default: ON
Description: Formatthetextmessageasasingleline.
Details: Eventtextmessagesoftenspanmultiplelines.Whenthisparameteris
Page 264
setto"ON",theEVTinputformatpreservesreadabilityofthebyremovingcarriage-return,line-feed,andmultiplespacecharactersfromthemessagetext.Whenthisparameterissetto"OFF",theEVTinputformatreturnstheoriginalmessagetextwithnointerveningpost-processing.
Example: -formatMsg:OFFmsgErrorMode
Values: NULL|ERROR|MSG
Default: MSG
Description: Behaviorwheneventmessagesoreventcategorynamescannotberesolved.
Details: Thetextofaneventlogmessageandthetextualnameofitscategoryarestoredinbinaryfilesinstalledwiththeapplicationthatgeneratestheeventlog.Insomecases,uninstallingtheapplicationorreconfiguringtheapplicationmightcausethelossofthenecessarybinaryfiles,thusmakingitimpossibletoretrievethetextdataforthoseeventsthathadbeenloggedpriortothereconfiguration.ThisparameterspecifiesthedesiredbehaviorfortheEVTinputformatwhenaneventlogmessagetextoritscategorynamecannotberetrieved.Whenthisparameterissetto"NULL",the"Message"or"EventCategoryName"fieldvalueisreturnedasaNULLvalue.Whensetto"ERROR",aparseerrorisreturned.Whensetto"MSG",amessageisreturnedforthefield,specifyingthatthetextofthemessageorthecategorynamecouldnotbefound.
Example: -msgErrorMode:NULLfullEventCode
Values: ON|OFF
Default: OFF
Page 265
Description: ReturnthefulleventIDcodeinsteadofthefriendlycode.
Details: Whenthisparameterissetto"ON",theEVTinputformatreturnsthefull32-bitvalueoftheeventIDcode.Whensetto"OFF",theEVTinputformatreturnsthelower16-bitvalueofthecode(asdisplayedbytheEventViewer).
Example: -fullEventCode:ONdirection
Values: FW|BW
Default: FW
Description: Chronologicaldirectioninwhicheventsareretrieved.
Details: Whensetto"FW",eventsareretrievedfromtheoldesttothenewest.Whensetto"BW",eventsareretrievedfromthenewesttotheoldest.Thisparameterisespeciallyusefulwithqueriesthatusethekeywordtoretrievethelastnloggedevents.
Example: -direction:BWstringsSep
Values: anystring
Default: |
Description: Separatorbetweenvaluesofthe"Strings"field.
Details: The"Strings"fieldcontainsanarrayoftextdataassociatedwiththeevent.Thevalueofthisfieldisbuiltbyconcatenatingtheoneaftertheother,usingthevalueofthisparameterasaseparatorbetweentheelements.
Example: -stringsSep:,iCheckpoint
Page 266
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessneweventsthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpcbinaryFormat
Values: ASC|PRINT|HEX
Default: HEX
Description: Formatofthe"Data"binaryfield.
Details: The"Data"fieldcontainsbinarydatathatisoftennotsuitabletobetextuallyrepresented.Whenthisparameterissetto"ASC",databytesbelongingtothe0x20-0x7FrangearereturnedasASCIIcharacters,whiledatabytesoutsidetherangearereturnedasperiod(.)characters,asshowninthefollowingexample:
Bucket:02096553..rundll32.exe
Whenthisparameterissetto"PRINT",databytesrepresentingprintableASCIIcharactersarereturnedasASCIIcharacters,whiledatabytesthatdonotrepresentprintableASCIIcharactersarereturnedasperiod(.)characters,asshowninthefollowingexample:
Bucket:02096553rundll32.exeWhenthisparameterissetto"HEX",alldatabytesarereturnedastwo-digithexadecimalvalues,asshowninthefollowingexample:
Page 267
4275636B65743A2030323039363535330D0A72756E646C6C33322E657865
Example: -binaryFormat:PRINT
©2004MicrosoftCorporation.Allrightsreserved.
Page 268
EVTInputFormatExamplesLogonsCreateanXMLreportfilecontaininglogonaccountnamesanddatesfromtheSecurityEventLog:
LogParser"SELECTTimeGeneratedASLogonDate,EXTRACT_TOKEN(Strings,0,'|')ASAccountINTOReport.xmlFROMSecurityWHEREEventIDNOTIN(541;542;543)ANDEventType=8ANDEventCategory=2"
EventDistributionRetrievethedistributionofEventIDvaluesforeachEventSource:
LogParser"SELECTSourceName,EventID,MUL(PROPCOUNT(*)ON(SourceName),100.0)ASPercentFROMSystemGROUPBYSourceName,EventIDORDERBYSourceName,PercentDESC"
EventMessageReportCreateTSVfilescontainingEventMessagesforeachSourceintheApplicationEventLog:
LogParser"SELECTSourceName,MessageINTOmyFile_*.tsvFROM\\MYSERVER1\Application,\\MYSERVER2\Application"
©2004MicrosoftCorporation.Allrightsreserved.
Page 269
FSInputFormatTheFSinputformatreturnsinformationonfilesanddirectories.
TheFSinputformatenumeratesthefilesanddirectoriesmatchingthesearchpath(s)specifiedinthefrom-entity,muchliketheWindowsshell"dir"command,returninganinputrecordforeachfileanddirectoryintheenumeration.
From-EntitySyntaxFieldsParametersExamples
Seealso:REGInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 270
FSInputFormatFrom-EntitySyntax<from-entity> ::= <path>[,<path>...]
The<from-entity>specifiedinqueriesusingtheFSinputformatisacomma-separatedlistofpaths,eventuallycontainingwildcards.
Examples:
FROMC:\Windows\*.dll,\\MYSERVER\C$\Windows\*.dll
FROM*.*
FROMC:\*.*,D:\*.*
FROMC:\Windows\Explorer.exe
©2004MicrosoftCorporation.Allrightsreserved.
Page 271
FSInputFormatFieldsTheinputrecordsgeneratedbytheFSinputformatcontainthefollowingfields:
Name Type Description
Path STRING Fullpathofthefileordirectory
Name STRING Nameofthefileordirectory
Size INTEGER Sizeofthefile,inbytes
Attributes STRING Attributesofthefileordirectory
CreationTime TIMESTAMP Dateandtimeatwhichthefileordirectoryhasbeencreated(localorUTCtime,dependingonthevalueoftheuseLocalTimeparameter)
LastAccessTime TIMESTAMP Dateandtimeatwhichthefileordirectoryhasbeenlastaccessed(localorUTCtime,dependingonthevalueoftheuseLocalTimeparameter)
LastWriteTime TIMESTAMP Dateandtimeatwhichthefileordirectoryhasbeenlastmodified(localorUTCtime,dependingonthevalueoftheuseLocalTimeparameter)
Page 272
FileVersion STRING Versionofthefile
ProductVersion STRING Versionoftheproductthefileisdistributedwith
InternalName STRING Internalnameofthefile
ProductName STRING Nameoftheproductthefileisdistributedwith
CompanyName STRING Nameofthevendorcompanythatproducedthefile
LegalCopyright STRING Copyrightnoticesthatapplytothefile
LegalTrademarks STRING Trademarksandregisteredtrademarksthatapplytothefile
PrivateBuild STRING Privateversioninformationofthefile
SpecialBuild STRING Specialfilebuildnotes
Comments STRING Commentsassociatedwiththefile
FileDescription STRING Descriptionofthefile
OriginalFilename STRING Originalnameofthefile
©2004MicrosoftCorporation.Allrightsreserved.
Page 273
FSInputFormatParametersTheFSinputformatsupportsthefollowingparameters:
recurse
Values: recursionlevel(number)
Default: -1
Description: Maxsubdirectoryrecursionlevel.
Details: 0disablessubdirectoryrecursion;-1enablesunlimitedrecursion.
Example: -recurse:2preserveLastAccTime
Values: ON|OFF
Default: OFF
Description: Preservethelastaccesstimeofvisitedfiles.
Details: Enumeratingfilesanddirectoriescausestheirlastaccesstimetobeupdated.Settingthisparameterto"ON"causestheFSinputformattorestorethelastaccesstimeofthefilesbeingvisited.
Example: -preserveLastAccTime:ONuseLocalTime
Values: ON|OFF
Default: ON
Description: Uselocaltimefortimestampfields.
Details: Whensetto"ON",thevaluesofthe"CreationTime",
Page 274
"LastAccessTime",and"LastWriteTime"fieldsareexpressedinlocaltime.Whensetto"OFF",thevaluesofthesefieldsareexpressedinUniversalTimeCoordinates(UTC)time.
Example: -useLocalTime:OFF
©2004MicrosoftCorporation.Allrightsreserved.
Page 275
FSInputFormatExamplesTenLargestFilesPrintthe10largestfilesontheC:drive:
LogParser"SELECTTOP10Path,Name,SizeFROMC:\*.*ORDERBYSizeDESC"-i:FS
MD5HashesofSystemFilesReturntheMD5hashofsystemexecutablefiles:
LogParser"SELECTPath,HASHMD5_FILE(Path)FROMC:\Windows\System32\*.exe"-i:FS-recurse:0
IdenticalFilesFindoutifthereareidenticalcopiesofthesamefileontheC:drive:
LogParser"SELECTHASHMD5_FILE(Path)ASHash,COUNT(*)ASNumberOfCopiesFROMC:\*.*GROUPBYHashHAVINGNumberOfCopies>1"-i:FS
©2004MicrosoftCorporation.Allrightsreserved.
Page 276
HTTPERRInputFormatTheHTTPERRinputformatparsesHTTPErrorlogfilescreatedbytheHttp.sysdriver.
HTTPErrorlogfilesareserver-widetextlogfilescontaininglogentriesforHttp.sys-initiatederrorresponsestomalformedclientrequestsortovalidrequeststhatareabortedduetoabnormalcircumstances.
DependingontheversionofHttp.sys,HTTPErrorlogfilescanbeloggedintwodifferentformats.EarlierversionsofHttp.syslogHTTPErrorlogentriesasrawlinesconsistingofspace-separatedvalues.ThefollowingexampleshowsaportionofanHTTPErrorlogfilegeneratedbyearlierversionsofHttp.sys:
2002-06-2719:11:28172.30.92.883405172.30.162.21380HTTP/1.0GET/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir400-URL2002-06-2719:11:28172.30.92.883407172.30.162.21380HTTP/1.0GET/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir400-URL2002-06-2719:11:28172.30.92.883412172.30.162.21380HTTP/1.0GET/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir400-URL
LaterversionsofHttp.syslogHTTPErrorlogfilesintheW3CExtendedlogfileformat.Logfilesinthisformatbeginwithsomeinformativeheaders("directives"),themostimportantofwhichisthe"#Fields"directive,describingwhichfieldsareloggedatwhichpositioninalogrow.Afterthedirectives,thelogentriesfollow.Eachlogentryisaspace-separatedlistoffieldvalues.ThefollowingexampleshowsaportionofanHTTPErrorlogfilegeneratedbylaterversionsofHttp.sys:
#Software:MicrosoftHTTPAPI1.0#Version:1.0#Date:2003-08-0803:12:41#Fields:datetimec-ipc-ports-ips-portcs-versioncs-methodcs-urisc-statuss-siteids-reasons-queuename2003-08-0803:12:4110.193.50.9354410.193.50.980HTTP/1.1GET/ISAPI_OOP/ISAPIExtTest.dll?Action=Crash&Action;=Print&Data;=Req17769_0-1Connection_Abandoned_By_AppPoolDefaultAppPool2003-08-0803:12:4110.193.50.9354510.193.50.980HTTP/1.1GET/ISAPI
From-EntitySyntaxFieldsParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 277
_OOP/ISAPIExtTest.dll?Action=Crash&Action;=Print&Data;=Req17769_1-1Connection_Abandoned_By_AppPoolDefaultAppPool2003-08-0803:12:4310.193.50.9354610.193.50.980HTTP/1.1GET/ISAPI_OOP/ISAPIExtTest.dll?Action=Crash&Action;=Print&Data;=Req17769_2-1Connection_Abandoned_By_AppPoolDefaultAppPool
Page 278
HTTPERRInputFormatFrom-EntitySyntax<from-entity> ::= HTTPERR|
<filename>[,<filename>...]
The<from-entity>specifiedinqueriesusingtheHTTERRinputformatiseitherthe"HTTPERR"keywordoracomma-separatedlistofpathsofHTTPErrorlogfiles.Whenthe"HTTPERR"keywordisused,theHTTPERRinputformatreadstheHTTPErrorlogconfigurationfromtheregistryandparsesalltheHTTPErrorlogfilescurrentlyavailableintheHTTPErrorlogfiledirectory.
Filenamescanincludewildcards(e.g."LogFiles\HTTPERR\httperr*.log").
Examples:
FROMLogFiles\HTTPERR\httperr1.log,LogFiles\HTTPERR\httperr2.log
FROM\\MYMACHINE\LogFiles\HTTPERR\httperr*.log
FROMHTTPERR
©2004MicrosoftCorporation.Allrightsreserved.
Page 279
HTTPERRInputFormatFieldsTheinputrecordsgeneratedbytheHTTPERRinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthelogfilecontainingthisentry
LogRow INTEGER Lineinthelogfilecontainingthisentry
date TIMESTAMP Thedateonwhichtherequestwasserved(UniversalTimeCoordinates(UTC)time)
time TIMESTAMP Thetimeatwhichtherequestwasserved(UniversalTimeCoordinates(UTC)time)
s-computername
STRING Thenameoftheserverthatservedtherequest(thisfieldisloggedbylaterversionsofHttp.sysonly)
c-ip STRING TheIPaddressoftheclientthatmadetherequest
c-port INTEGER Theclientportnumberthatsenttherequest
s-ip STRING TheIPaddressoftheserverthatservedtherequest
Page 280
s-port INTEGER Theserverportnumberthatreceivedtherequest
cs-version STRING TheHTTPversionoftheclientrequest
cs-method STRING TheHTTPrequestverb
cs-uri STRING TheHTTPrequesturi
cs(User-Agent)
STRING TheclientrequestUser-Agentheader(thisfieldisloggedbylaterversionsofHttp.sysonly)
cs(Cookie) STRING TheclientrequestCookieheader(thisfieldisloggedbylaterversionsofHttp.sysonly)
cs(Referer) STRING TheclientrequestRefererheader(thisfieldisloggedbylaterversionsofHttp.sysonly)
cs-host STRING TheclientrequestHostheader(thisfieldisloggedbylaterversionsofHttp.sysonly)
sc-status INTEGER TheresponseHTTPstatuscode
sc-bytes INTEGER Thenumberofbytesintheresponsesentbytheserver(thisfieldisloggedbylaterversionsofHttp.sysonly)
cs-bytes INTEGER Thenumberofbytesintherequest
Page 281
sentbytheclient(thisfieldisloggedbylaterversionsofHttp.sysonly)
time-taken INTEGER Thenumberofmillisecondselapsedsincethemomenttheserverreceivedtherequesttothemomenttheserversenttheresponsetotheclient(thisfieldisloggedbylaterversionsofHttp.sysonly)
s-siteid INTEGER TheIISsiteinstancenumberthatservedtherequest
s-reason STRING Informationaboutwhytheerroroccurred
s-queuename STRING ThenameoftheapplicationpoolhostingtheIISworkerprocessthatprocessedtherequest(thisfieldisloggedbylaterversionsofHttp.sysonly)
©2004MicrosoftCorporation.Allrightsreserved.
Page 282
HTTPERRInputFormatParametersTheHTTPERRinputformatsupportsthefollowingparameters:
iCodepage
Values: codepageID(number)
Default: 0
Description: Codepageofthelogfile.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -iCodepage:1245minDateMod
Values: date/time(in"yyyy-MM-ddhh:mm:ss"format)
Default: notspecified
Description: Minimumfilelastmodifieddate,inlocaltimecoordinates.
Details: Whenthisparameterisspecified,theHTTPERRinputformatprocessesonlylogfilesthathavebeenmodifiedafterthespecifieddate.
Example: -minDateMod:"2004-05-2822:05:10"dirTime
Values: ON|OFF
Default: OFF
Description: Usethevalueofthe"#Date"directiveforthe"date"and/or"time"fieldvalueswhenthesefieldsarenotlogged.
Page 283
Details: Whenalogfileisconfiguredtonotlogthe"date"and/or"time"fields,specifying"ON"forthisparameterscausestheHTTPERRinputformattogenerate"date"and"time"valuesusingthevalueofthelastseen"#Date"directive.
Example: -dirTime:ONiCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessnewlogentriesthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 284
HTTPERRInputFormatExamplesErrorsDistributionChartCreateapiechartcontainingthedistributionoferrorsintheHTTPErrorlogs:
LogParser"SELECTsc-status,PROPCOUNT(*)ASPercentageINTOPie.gifFROMHTTPERRGROUPBYsc-statusORDERBYPercentageDESC"-chartType:PieExploded-chartTitle:"ErrorsDistribution"-categories:off
©2004MicrosoftCorporation.Allrightsreserved.
Page 285
IISInputFormatTheIISinputformatparsesIISlogfilesintheMicrosoftIISLogFileFormat.
TheMicrosoftIISLogFileFormatisatext-based,fixed-fieldformat.Logentriesareloggedonasingleline,consistingofacomma-separatedlistoffieldvalues.
ThefollowingexampleshowsaportionofaMicrosoftIISLogFileFormatlogfile:
192.168.114.201,-,03/20/01,7:55:20,W3SVC2,SERVER,172.21.13.45,4502,163,3223,200,0,GET,/DeptLogo.gif,-,192.168.110.54,-,03/20/01,7:57:20,W3SVC2,SERVER,172.21.13.45,411,221,1967,200,0,GET,/style.css,-,From-EntitySyntaxFieldsParametersExamples
Seealso:IISOutputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 286
IISInputFormatFrom-EntitySyntax<from-entity> ::= <filename>|<SiteID>[,<filename>|<SiteID>...]
<SiteID> ::= <site_number><server_comment><site_metabase_path>
The<from-entity>specifiedinqueriesusingtheIISinputformatisacomma-separatedlistof:
PathsofMicrosoftIISLogFileFormatlogfiles;IISVirtualSite"identifiers".
"Siteidentifiers"mustbeenclosedwithinanglebrackets(<and>),andcanhaveoneofthefollowingvalues:ThenumericsiteID(e.g."<1>","<28163489>");Thetextvalueofthe"ServerComment"propertyofthesite(e.g."<MyExternalSite>","<www.margiestravel.com>");Thefully-qualifiedADSImetabasepathtothesite(e.g."<//MYSERVER/W3SVC/1>"),usingeitherthenumericsiteIDorthetextvalueofthe"ServerComment"propertyofthesite.
Whena"siteidentifier"isused,theIISinputformatconnectstothespecifiedmachine'smetabase,gathersinformationonthesite'scurrentloggingproperties,andparsesallthelogfilesinthesite'scurrentlogfiledirectory.
Filenamesand"Siteidentifiers"canalsoincludewildcards(e.g."LogFiles\in04*.log","<www.*.com>").
Examples:
FROMLogFiles\in04*log,LogFiles\in03*.log,\\MyServer\LoggingShare\W3SVC2\in04*.logFROM<1>,<2>,<MyExternalSite>,inetsv9.log
Page 287
FROM<www.net*home.com>,<//MyServer2/W3SVC/www.net*home.com>,<//MyServer2/MSFTPSVC/*>,<*>
©2004MicrosoftCorporation.Allrightsreserved.
Page 288
IISInputFormatFieldsTheinputrecordsgeneratedbytheIISinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthelogfilecontainingthisentry
LogRow INTEGER Lineinthelogfilecontainingthisentry
UserIP STRING TheIPaddressoftheclientthatmadetherequest
UserName STRING Thenameoftheauthenticateduserthatmadetherequest,orNULLiftherequestwasfromananonymoususer
Date TIMESTAMP Thedateonwhichtherequestwasserved(localtime)
Time TIMESTAMP Thetimeatwhichtherequestwasserved(localtime)
ServiceInstance STRING TheIISservicenameandsiteinstancenumberthatservedtherequest
HostName STRING Thenameoftheserverthatservedtherequest
Page 289
ServerIP STRING TheIPaddressoftheserverthatservedtherequest
TimeTaken INTEGER Thenumberofmillisecondselapsedsincethemomenttheserverreceivedtherequesttothemomenttheserversentthelastresponsechunktotheclient
BytesSent INTEGER Thenumberofbytesintherequestsentbytheclient
BytesReceived INTEGER Thenumberofbytesintheresponsesentbytheserver
StatusCode INTEGER TheresponseHTTPorFTPstatuscode
Win32StatusCode INTEGER TheWindowsstatuscodeassociatedwiththeresponseHTTPorFTPstatuscode
RequestType STRING TheHTTPrequestverborFTPoperation
Target STRING TheHTTPrequesturi-stemorFTPoperationtarget
Parameters STRING TheHTTPrequesturi-query,orNULLiftherequestedURIdidnotincludeauri-query
Page 290
©2004MicrosoftCorporation.Allrightsreserved.
Page 291
IISInputFormatParametersTheIISinputformatsupportsthefollowingparameters:
iCodepage
Values: codepageID(number)
Default: -2
Description: Codepageofthelogfile.
Details: 0isthesystemcodepage;-2specifiesthatthecodepageisautomaticallydeterminedbyinspectingthefilenameand/orthesite's"LogInUTF8"property.
Example: -iCodepage:1245recurse
Values: recursionlevel(number)
Default: 0
Description: Maxsubdirectoryrecursionlevel.
Details: 0disablessubdirectoryrecursion;-1enablesunlimitedrecursion.
Example: -recurse:-1minDateMod
Values: date/time(in"yyyy-MM-ddhh:mm:ss"format)
Default: notspecified
Description: Minimumfilelastmodifieddate,inlocaltimecoordinates.
Details: Whenthisparameterisspecified,theIISinputformat
Page 292
processesonlylogfilesthathavebeenmodifiedafterthespecifieddate.
Example: -minDateMod:"2004-05-2822:05:10"locale
Values: 3-characterlocaleID
Default: DEF
Description: IDofthelocaleinwhichthelogfilewasgenerated.
Details: IISversionsearlierthan6.0logthe"Date"and"Time"fieldsusingthecurrentsystemlocaledateandtimeformats.IIS6.0andlaterversionsusetheENUlocaleinstead,regardlessofthesystemlocalesettings.Forthesereasons,whenparsingMicrosoftIISLogFileFormatlogfilesonalocalewhosedateandtimeformatsdonotmatchtheformatsofthelocaleofthecomputerwherethelogfilehasbeencreated,usersneedtospecifytheIDofthesystemlocaleofthecomputerthatcreatedthelogfile.Thespecial"DEF"valuemeansthecurrentsystemlocale.
Example: -locale:JPNiCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessnewlogentriesthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Page 293
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 294
IISInputFormatExamplesTop20URL'sforaSiteCreateachartcontainingtheTOP20URL'sinthe"www.margiestravel.com"website(assumedtobeloggingintheIISlogformat):
LogParser"SELECTTOP20Target,COUNT(*)ASHitsINTOMyChart.gifFROM<www.margiestravel.com>GROUPBYTargetORDERBYHitsDESC"-chartType:Column3D-groupSize:1024x768
ExportErrorstoSYSLOGSenderrorentriesintheIISlogtoaSYSLOGserver:
LogParser"SELECTTO_TIMESTAMP(Date,Time),CASEStatusCodeWHEN500THEN'emerg'ELSE'err'ENDASMySeverity,HostNameASMyHostname,TargetINTO@myserverFROM<1>WHEREStatusCode>=400"-o:SYSLOG-severity:$MySeverity-hostName:$MyHostnameBytesbyExtensionChartCreateapiechartwiththetotalnumberofbytesgeneratedbyeachextension:
LogParser"SELECTEXTRACT_EXTENSION(Target)ASExtension,MUL(PROPSUM(BytesReceived),100.0)ASBytesINTOPie.gifFROM<1>GROUPBYExtensionORDERBYBytesDESC"-chartType:PieExploded-chartTitle:"Bytesperextension"-categories:off
©2004MicrosoftCorporation.Allrightsreserved.
Page 295
IISODBCInputFormatTheIISODBCinputformatreturnsdatabaserecordsfromthetablesloggedtobyIISwhenconfiguredtologintheODBCLogFormat.
From-EntitySyntaxFieldsExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 296
IISODBCInputFormatFrom-EntitySyntax<from-entity>
::= <SiteID>[,<SiteID>...]|table:<tablename>;username:<username>;password:<password>;dsn:<dsn>
<SiteID> ::= <site_number><server_comment><site_metabase_path>
The<from-entity>specifiedinqueriesusingtheIISODBCinputformatiseitheracomma-separatedlistofIISVirtualSite"identifiers",orasinglespecificationoftheODBCparametersneededtoaccessthetable.
"Siteidentifiers"mustbeenclosedwithinanglebrackets(<and>),andcanhaveoneofthefollowingvalues:
ThenumericsiteID(e.g."<1>","<28163489>");Thetextvalueofthe"ServerComment"propertyofthesite(e.g."<MyExternalSite>","<www.margiestravel.com>");Thefully-qualifiedADSImetabasepathtothesite(e.g."<//MYSERVER/W3SVC/1>"),usingeitherthenumericsiteIDorthetextvalueofthe"ServerComment"propertyofthesite.
Whena"siteidentifier"isused,theIISODBCinputformatconnectstothespecifiedmachine'smetabase,gathersinformationonthesite'scurrentODBCloggingproperties,andusesthisinformationtoconnecttothedatabasetable.
"Siteidentifiers"canalsoincludewildcards(e.g."<www.*.com>").
Examples:
Page 297
FROM<1>,<2>,<MyExternalSite>
FROMtable:MYLOGTABLE;username:IISLOGUSER;password:IISLOGUSERPW;dsn:IISLOGDSN
©2004MicrosoftCorporation.Allrightsreserved.
Page 298
IISODBCInputFormatFieldsTheinputrecordsgeneratedbytheIISODBCinputformatcontainthefollowingfields:
Name Type Description
ClientHost STRING TheIPaddressoftheclientthatmadetherequest
Username STRING Thenameoftheauthenticateduserthatmadetherequest,orNULLiftherequestwasfromananonymoususer
LogTime TIMESTAMP Thedateandtimeatwhichtherequestwasserved(localtime)
Service INTEGER TheIISservicenameandsiteinstancenumberthatservedtherequest
Machine STRING Thenameoftheserverthatservedtherequest
ServerIP STRING TheIPaddressoftheserverthatservedtherequest
ProcessingTime INTEGER Thenumberofmillisecondselapsedsincethemomenttheserverreceivedtherequesttothemomenttheserversentthelast
Page 299
responsechunktotheclient
BytesRecvd INTEGER Thenumberofbytesintherequestsentbytheclient
BytesSent INTEGER Thenumberofbytesintheresponsesentbytheserver
ServiceStatus INTEGER TheresponseHTTPorFTPstatuscode
Win32Status INTEGER TheWindowsstatuscodeassociatedwiththeresponseHTTPorFTPstatuscode
Operation STRING TheHTTPrequestverborFTPoperation
Target STRING TheHTTPrequesturi-stemorFTPoperationtarget
Parameters STRING TheHTTPrequesturi-query,orNULLiftherequestedURIdidnotincludeauri-query
©2004MicrosoftCorporation.Allrightsreserved.
Page 300
IISODBCInputFormatExamplesTop20URL'sforaSiteCreateachartcontainingtheTOP20URL'sinthe"www.margiestravel.com"website(assumedtobeloggingintheODBClogformat):
LogParser"SELECTTOP20Target,COUNT(*)ASHitsINTOMyChart.gifFROM<www.margiestravel.com>GROUPBYTargetORDERBYHitsDESC"-chartType:Column3D-groupSize:1024x768
©2004MicrosoftCorporation.Allrightsreserved.
Page 301
IISW3CInputFormatTheIISW3CinputformatparsesIISlogfilesintheW3CExtendedLogFileFormat.
IISwebsitesloggingintheW3CExtendedformatcanbeconfiguredtologonlyaspecificsubsetoftheavailablefields.Logfilesinthisformatbeginwithsomeinformativeheaders("directives"),themostimportantofwhichisthe"#Fields"directive,describingwhichfieldsareloggedatwhichpositioninalogrow.Afterthedirectives,thelogentriesfollow.Eachlogentryisaspace-separatedlistoffieldvalues.
IftheloggingconfigurationofanIISvirtualsiteisupdated,thestructureofthefieldsinthefilethatiscurrentlyloggedtomightchangeaccordingtothenewconfiguration.Inthiscase,anew"#Fields"directiveisloggeddescribingthenewfieldsstructure,andtheIISW3Cinputformatkeepstrackofthestructurechangeandparsesthenewlogentriesaccordingly.
ThefollowingexampleshowsaportionofaW3CExtendedLogFileFormatlogfile:
#Software:MicrosoftInternetInformationServices5.0#Version:1.0#Date:2003-11-1800:28:33#Fields:datec-ipcs-uri-stemcs-bytes2003-11-18192.168.1.101/Default.htm1002003-11-18192.168.1.104/hitcount.asp2002003-11-18192.168.1.102/images/address.gif2003-11-18192.168.1.102/cgi-bin/counts.exe400
From-EntitySyntaxFieldsParametersExamples
Seealso:W3CInputFormatW3COutputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 302
IISW3CInputFormatFrom-EntitySyntax<from-entity> ::= <filename>|<SiteID>[,<filename>|<SiteID>...]
<SiteID> ::= <site_number><server_comment><site_metabase_path>
The<from-entity>specifiedinqueriesusingtheIISW3Cinputformatisacomma-separatedlistof:
PathsofIISW3CExtendedlogfiles;IISVirtualSite"identifiers".
"Siteidentifiers"mustbeenclosedwithinanglebrackets(<and>),andcanhaveoneofthefollowingvalues:ThenumericsiteID(e.g."<1>","<28163489>");Thetextvalueofthe"ServerComment"propertyofthesite(e.g."<MyExternalSite>","<www.margiestravel.com>");Thefully-qualifiedADSImetabasepathtothesite(e.g."<//MYSERVER/W3SVC/1>"),usingeitherthenumericsiteIDorthetextvalueofthe"ServerComment"propertyofthesite.
Whena"siteidentifier"isused,theIISW3Cinputformatconnectstothespecifiedmachine'smetabase,gathersinformationonthesite'scurrentloggingproperties,andparsesallthelogfilesinthesite'scurrentlogfiledirectory.
Filenamesand"Siteidentifiers"canalsoincludewildcards(e.g."LogFiles\ex04*.log","<www.*.com>").
Examples:
FROMLogFiles\ex04*log,LogFiles\ex03*.log,\\MyServer\LoggingShare\W3SVC2\ex04*.logFROM<1>,<2>,<MyExternalSite>,extend9.log
Page 303
FROM<www.net*home.com>,<//MyServer2/W3SVC/www.net*home.com>,<//MyServer2/MSFTPSVC/*>,<*>
©2004MicrosoftCorporation.Allrightsreserved.
Page 304
IISW3CInputFormatFieldsTheinputrecordsgeneratedbytheIISW3Cinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthelogfilecontainingthisentry
LogRow INTEGER Lineinthelogfilecontainingthisentry
date TIMESTAMP Thedateonwhichtherequestwasserved(UniversalTimeCoordinates(UTC)time)
time TIMESTAMP Thetimeatwhichtherequestwasserved(UniversalTimeCoordinates(UTC)time)
c-ip STRING TheIPaddressoftheclientthatmadetherequest
cs-username STRING Thenameoftheauthenticateduserthatmadetherequest,orNULLiftherequestwasfromananonymoususer
s-sitename STRING TheIISservicenameandsiteinstancenumberthatservedtherequest
Page 305
s-computername
STRING Thenameoftheserverthatservedtherequest
s-ip STRING TheIPaddressoftheserverthatservedtherequest
s-port INTEGER Theserverportnumberthatreceivedtherequest
cs-method STRING TheHTTPrequestverborFTPoperation
cs-uri-stem STRING TheHTTPrequesturi-stemorFTPoperationtarget
cs-uri-query STRING TheHTTPrequesturi-query,orNULLiftherequestedURIdidnotincludeauri-query
sc-status INTEGER TheresponseHTTPorFTPstatuscode
sc-substatus INTEGER TheresponseHTTPsub-statuscode(thisfieldisloggedbyIISversion6.0andlateronly)
sc-win32-status
INTEGER TheWindowsstatuscodeassociatedwiththeresponseHTTPorFTPstatuscode
sc-bytes INTEGER Thenumberofbytesintheresponsesentbytheserver
cs-bytes INTEGER Thenumberofbytesintherequest
Page 306
sentbytheclient
time-taken INTEGER Thenumberofmillisecondselapsedsincethemomenttheserverreceivedtherequesttothemomenttheserversentthelastresponsechunktotheclient
cs-version STRING TheHTTPversionoftheclientrequest
cs-host STRING TheclientrequestHostheader
cs(User-Agent)
STRING TheclientrequestUser-Agentheader
cs(Cookie) STRING TheclientrequestCookieheader
cs(Referer) STRING TheclientrequestRefererheader
s-event STRING Thetypeoflogevent(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
s-process-type STRING Thetypeofprocessthattriggeredthelogevent(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
s-user-time REAL ThetotalaccumulatedUserModeprocessortime,inpercentage,that
Page 307
thesiteusedduringthecurrentinterval(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
s-kernel-time REAL ThetotalaccumulatedKernelModeprocessortime,inpercentage,thatthesiteusedduringthecurrentinterval(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
s-page-faults INTEGER Thetotalnumberofmemoryreferencesthatresultedinmemorypagefaultsduringthecurrentinterval(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
s-total-procs INTEGER Thetotalnumberofapplicationscreatedduringthecurrentinterval(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
s-active-procs INTEGER Thetotalnumberofapplications
Page 308
runningwhenthelogeventwastriggered(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
s-stopped-procs
INTEGER Thetotalnumberofapplicationsstoppedduetoprocessthrottlingduringthecurrentinterval(thisfieldisloggedbyIISversion5.0onlywhenthe"ProcessAccountingLogging"featureisenabled)
©2004MicrosoftCorporation.Allrightsreserved.
Page 309
IISW3CInputFormatParametersTheIISW3Cinputformatsupportsthefollowingparameters:
iCodepage
Values: codepageID(number)
Default: -2
Description: Codepageofthelogfile.
Details: 0isthesystemcodepage;-2specifiesthatthecodepageisautomaticallydeterminedbyinspectingthefilenameand/orthesite's"LogInUTF8"property.
Example: -iCodepage:1245recurse
Values: recursionlevel(number)
Default: 0
Description: Maxsubdirectoryrecursionlevel.
Details: 0disablessubdirectoryrecursion;-1enablesunlimitedrecursion.
Example: -recurse:-1minDateMod
Values: date/time(in"yyyy-MM-ddhh:mm:ss"format)
Default: notspecified
Description: Minimumfilelastmodifieddate,inlocaltimecoordinates.
Details: Whenthisparameterisspecified,theIISW3Cinput
Page 310
formatprocessesonlylogfilesthathavebeenmodifiedafterthespecifieddate.
Example: -minDateMod:"2004-05-2822:05:10"dQuotes
Values: ON|OFF
Default: OFF
Description: Specifiesthatstringvaluesinthelogaredouble-quoted.
Details: LogprocessorsmightgenerateW3Clogswhosestringvaluesareenclosedindouble-quotes.
Example: -dQuotes:ONdirTime
Values: ON|OFF
Default: OFF
Description: Usethevalueofthe"#Date"directiveforthe"date"and/or"time"fieldvalueswhenthesefieldsarenotlogged.
Details: Whenalogfileisconfiguredtonotlogthe"date"and/or"time"fields,specifying"ON"forthisparameterscausestheIISW3Cinputformattogenerate"date"and"time"valuesusingthevalueofthelastseen"#Date"directive.
Example: -dirTime:ONconsolidateLogs
Values: ON|OFF
Page 311
Default: OFF
Description: Returnentriesfromalltheinputlogfilesorderingbydateandtime.
Details: Whenafrom-entityreferstologfilesfrommultipleIISvirtualsites,specifyingONforthisparametercausestheIISW3Cinputformattoparsealltheinputlogfilesinparallel,returningentriesorderedbythevaluesofthe"date"and"time"fieldsinthelogfiles;theinputrecordsreturnedwillthusappearasifasingleIISW3Clogfilewasbeingparsed.Enablingthisfeatureisequivalenttoexecutingaquerywithan"ORDERBYdate,time"clauseonallthelogfiles.However,theimplementationofthisfeatureleveragesthepre-existingchronologicalorderofentriesineachlogfile,anditdoesnotrequiretheextensivememoryresourcesotherwiserequiredbytheORDERBYqueryclause.
Example: -consolidateLogs:ONiCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessnewlogentriesthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
Page 312
©2004MicrosoftCorporation.Allrightsreserved.
Page 313
IISW3CInputFormatExamplesTop20URL'sforaSiteCreateachartcontainingtheTOP20URL'sinthe"www.margiestravel.com"website(assumedtobeloggingintheW3Clogformat):
LogParser"SELECTTOP20cs-uri-stem,COUNT(*)ASHitsINTOMyChart.gifFROM<www.margiestravel.com>GROUPBYcs-uri-stemORDERBYHitsDESC"-chartType:Column3D-groupSize:1024x768
ExportErrorstoSYSLOGSenderrorentriesintheW3ClogtoaSYSLOGserver:
LogParser"SELECTTO_TIMESTAMP(date,time),CASEsc-statusWHEN500THEN'emerg'ELSE'err'ENDASMySeverity,s-computernameASMyHostname,cs-uri-stemINTO@myserverFROM<1>WHEREsc-status>=400"-o:SYSLOG-severity:$MySeverity-hostName:$MyHostnameBytesbyExtensionChartCreateapiechartwiththetotalnumberofbytesgeneratedbyeachextension:
LogParser"SELECTEXTRACT_EXTENSION(cs-uri-stem)ASExtension,MUL(PROPSUM(sc-bytes),100.0)ASBytesINTOPie.gifFROM<1>GROUPBYExtensionORDERBYBytesDESC"-chartType:PieExploded-chartTitle:"Bytesperextension"-categories:off
©2004MicrosoftCorporation.Allrightsreserved.
Page 314
NCSAInputFormatTheNCSAinputformatparseslogfilesintheNCSACommon,Combined,andExtendedLogFileFormats.
TheNCSALogFileFormatisatext-based,fixed-fieldformat.Logentriesareloggedonasingleline,consistingofaspace-separatedlistoffieldvalues.TherearethreeversionsoftheNCSALogFileFormat:"Common","Combined",and"Extended".Thethreeversionsdifferbythenumberoffieldsthatareloggedforeachrequest.IIScanlogNCSACommonLogFileFormatlogfiles,whileotherwebserverscanbeconfiguredtologwiththeCombinedandExtendedformats.
ThefollowingexampleshowsaportionofanNCSACommonLogFileFormatlogfile:
172.21.13.45-Microsoft\User[08/Apr/2001:17:39:04-0800]"GET/scripts/iisadmin/ism.dll?http/servHTTP/1.0"2003401172.21.201.112--[08/Apr/2001:21:01:19-0800]"GET/style.cssHTTP/1.0"2003401ThefollowingexampleshowsaportionofanNCSACombinedLogFileFormatlogfile:
172.21.13.45-Microsoft\User[08/Apr/2001:17:39:04-0800]"GET/scripts/iisadmin/ism.dll?http/servHTTP/1.0"2003401"http://www.microsoft.com/""Mozilla/4.05[en](WinNT;I)""USERID=CustomerA"172.21.201.112--[08/Apr/2001:21:01:19-0800]"GET/style.cssHTTP/1.0"2001937"http://www.microsoft.com/""Mozilla/4.05[en](WinNT;I)""USERID=CustomerA"
From-EntitySyntaxFieldsParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 315
NCSAInputFormatFrom-EntitySyntax<from-entity> ::= <filename>|<SiteID>[,<filename>|<SiteID>...]
<SiteID> ::= <site_number><server_comment><site_metabase_path>
The<from-entity>specifiedinqueriesusingtheNCSAinputformatisacomma-separatedlistof:
PathsofNCSALogFileFormatlogfiles;IISVirtualSite"identifiers".
"Siteidentifiers"mustbeenclosedwithinanglebrackets(<and>),andcanhaveoneofthefollowingvalues:ThenumericsiteID(e.g."<1>","<28163489>");Thetextvalueofthe"ServerComment"propertyofthesite(e.g."<MyExternalSite>","<www.margiestravel.com>");Thefully-qualifiedADSImetabasepathtothesite(e.g."<//MYSERVER/W3SVC/1>"),usingeitherthenumericsiteIDorthetextvalueofthe"ServerComment"propertyofthesite.
Whena"siteidentifier"isused,theNCSAinputformatconnectstothespecifiedmachine'smetabase,gathersinformationonthesite'scurrentloggingproperties,andparsesallthelogfilesinthesite'scurrentlogfiledirectory.
Filenamesand"Siteidentifiers"canalsoincludewildcards(e.g."LogFiles\nc04*.log","<www.*.com>").
Examples:
FROMLogFiles\nc04*log,LogFiles\nc03*.log,\\MyServer\LoggingShare\W3SVC2\nc04*.logFROM<1>,<2>,<MyExternalSite>,ncsa9.log
Page 316
FROM<www.net*home.com>,<//MyServer2/W3SVC/www.net*home.com>,<*>
©2004MicrosoftCorporation.Allrightsreserved.
Page 317
NCSAInputFormatFieldsTheinputrecordsgeneratedbytheNCSAinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthelogfilecontainingthisentry
LogRow INTEGER Lineinthelogfilecontainingthisentry
RemoteHostName STRING TheIPaddressoftheclientthatmadetherequest
RemoteLogName STRING TheidentifierusedtoidentifytheclientmakingtheHTTPrequest,orNULLifnoidentifierisused(alwaysNULLinNCSAlogfilesgeneratedbyIIS)
UserName STRING Thenameoftheauthenticateduserthatmadetherequest,orNULLiftherequestwasfromananonymoususer
DateTime TIMESTAMP Thedateandtimeatwhichtherequestwasserved(UniversalTimeCoordinates(UTC)time)
Request STRING TheHTTPrequestline(verb,
Page 318
URI,andHTTPversion)
StatusCode INTEGER TheresponseHTTPstatuscode
BytesSent INTEGER Thenumberofbytesintheresponsesentbytheserver
Referer STRING TheclientrequestRefererheader(notloggedinNCSACommonLogFileFormatlogfiles)
User-Agent STRING TheclientrequestUser-Agentheader(notloggedinNCSACommonLogFileFormatlogfiles)
Cookie STRING TheclientrequestCookieheader(notloggedinNCSACommonLogFileFormatlogfiles)
©2004MicrosoftCorporation.Allrightsreserved.
Page 319
NCSAInputFormatParametersTheNCSAinputformatsupportsthefollowingparameters:
iCodepage
Values: codepageID(number)
Default: -2
Description: Codepageofthelogfile.
Details: 0isthesystemcodepage;-2specifiesthatthecodepageisautomaticallydeterminedbyinspectingthefilenameand/orthesite's"LogInUTF8"property.
Example: -iCodepage:1245recurse
Values: recursionlevel(number)
Default: 0
Description: Maxsubdirectoryrecursionlevel.
Details: 0disablessubdirectoryrecursion;-1enablesunlimitedrecursion.
Example: -recurse:-1minDateMod
Values: date/time(in"yyyy-MM-ddhh:mm:ss"format)
Default: notspecified
Description: Minimumfilelastmodifieddate,inlocaltimecoordinates.
Details: Whenthisparameterisspecified,theNCSAinput
Page 320
formatprocessesonlylogfilesthathavebeenmodifiedafterthespecifieddate.
Example: -minDateMod:"2004-05-2822:05:10"iCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessnewlogentriesthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 321
NCSAInputFormatExamplesSliceRequestfieldintocomponentsReturntheverb,URI,andHTTPversionforeachrequest:
LogParser"SELECTEXTRACT_TOKEN(Request,0,'')ASVerb,EXTRACT_TOKEN(Request,1,'')ASURI,EXTRACT_TOKEN(Request,2,'')ASVersionFROMncsa9.log"
Top20URL'sforaSiteCreateachartcontainingtheTOP20URL'sinthe"www.margiestravel.com"website(assumedtobeloggingintheNCSAlogformat):
LogParser"SELECTTOP20EXTRACT_TOKEN(Request,1,'')ASURI,COUNT(*)ASHitsINTOMyChart.gifFROM<www.margiestravel.com>GROUPBYURIORDERBYHitsDESC"-chartType:Column3D-groupSize:1024x768
©2004MicrosoftCorporation.Allrightsreserved.
Page 322
NETMONInputFormatTheNETMONinputformatparsesnetworkcapturefiles(.capfiles)createdbytheNetMonNetworkMonitorapplication.
TheNETMONinputformatworksintwodifferentmodes,selectablethroughthefModeparameter.
Whenthe"fMode"parameterissetto"TCPIP",theNETMONinputformatreturnsaninputrecordforeachTCP/IPpacketfoundinthecapturefile.Inthiscase,inputrecordscontainfieldsfromtheTCPandIPpacketheaders,togetherwiththepayloadofeachpacket.Forexample,thefollowingcommandreturnsthespecifiedfieldsfromtheTCP/IPpacketsinthecapturefile:
LogParser"SELECTSrcPort,TCPFlags,PayloadBytesFROMMyCapture.cap"-fMode:TCPIPTheoutputofthiscommandwouldlooklikethefollowingsample:
SrcPortTCPFlagsPayloadBytes---------------------------445A11146A01336S080AS01336A01336AP2831336A143180A01336A14311336AP549
Whenthe"fMode"parameterissetto"TCPConn",theNETMONinputformatreturnsaninputrecordforeachTCPconnectionfoundinthecapturefile.Inthiscase,inputrecordscontainfieldscalculatedbyaggregatingalltheTCPpacketsintheconnection,includingthereconstructedpayloadsentbybothendpoints.Forexample,thefollowingcommandreturnsthespecifiedfieldsfromtheTCPconnectionsinthecapturefile:
LogParser"SELECTSrcPort,TimeTaken,SrcPayloadBytes,DstPayloadBytesFROMMyCapture.cap"-fMode:TCPConnTheoutputofthiscommandwouldlooklikethefollowingsample:
SrcPortTimeTakenSrcPayloadBytesDstPayloadBytes-------------------------------------------------
Page 323
1336150.216000369436731284450.64800031213621286711.0230000012871001.440000001288851.22400000128915120.24000000128366619.38800018863718129113663.102000312636128547883.357000312708129021203.9460003121362
From-EntitySyntaxFieldsParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 324
NETMONInputFormatFrom-EntitySyntax<from-entity> ::= <filename>[,<filename>...]
The<from-entity>specifiedinqueriesusingtheNETMONinputformatisacomma-separatedlistofNetMoncapturefiles(.capfiles).
Examples:
FROMMyCapture1.cap
FROMMyCapture1.cap,MyCapture2.cap
©2004MicrosoftCorporation.Allrightsreserved.
Page 325
NETMONInputFormatFieldsThestructureoftheinputrecordsgeneratedbytheNETMONinputformatdependsonthevaluespecifiedforthefModeparameter.
TCPIPModeWhenthefModeparameterissetto"TCPIP",theNETMONinputformatreturnsaninputrecordforeachTCP/IPpacketfoundinthecapturefile.Inthismode,inputrecordscontainthefollowingfields:
Name Type Description
CaptureFilename STRING Thefullpathofthecapturefilecontainingthispacket
Frame INTEGER Theframenumbercontainingthispacket
DateTime TIMESTAMP Dateandtimeatwhichthepacketwassent
FrameBytes INTEGER Totalnumberofbytesintheframe
SrcMAC STRING MACaddressofthesenderofthispacket
SrcIP STRING IPaddressofthesenderofthispacket
SrcPort INTEGER TCPportnumberofthesenderofthispacket
Page 326
DstMAC STRING MACaddressofthedestinationofthispacket
DstIP STRING IPaddressofthedestinationofthispacket
DstPort INTEGER TCPportnumberofthedestinationofthispacket
IPVersion INTEGER IPversionofthispacket
TTL INTEGER Time-To-LivefieldoftheIPheaderofthispacket
TCPFlags STRING TCPflagsfieldoftheTCPheaderofthispacket
Seq INTEGER TCPsequencenumberofthispacket
Ack INTEGER TCPacknowledgenumberofthispacket
WindowSize INTEGER WindowsizefieldoftheTCPheaderofthispacket
PayloadBytes INTEGER NumberofbytesintheTCPpayloadofthispacket
Payload STRING TCPpayloadofthispacket
Connection INTEGER UniqueidentifieroftheTCPconnectiontowhichthispacketbelongs
Page 327
TCPConnModeWhenthefModeparameterissetto"TCPConn",theNETMONinputformatreturnsaninputrecordforeachTCPconnectionfoundinthecapturefile.Inthismode,inputrecordscontainthefollowingfields:
Name Type Description
CaptureFilename STRING Thefullpathofthecapturefilecontainingthisconnection
StartFrame INTEGER Framenumbercontainingthefirstpacketofthisconnection
EndFrame INTEGER Framenumbercontainingthelastpacketofthisconnection
Frames INTEGER Totalnumberofframescontainingpacketsbelongingtothisconnection
DateTime TIMESTAMP Dateandtimeofatwhichthefirstpacketofthisconnectionwassent
TimeTaken INTEGER Totalnumberofmillisecondselapsedsincethefirstpacketofthisconnectiontothelastpacket
SrcMAC STRING MACaddressoftheinitiatorofthisconnection
Page 328
SrcIP STRING IPaddressoftheinitiatorofthisconnection
SrcPort INTEGER TCPportnumberoftheinitiatorofthisconnection
SrcPayloadBytes INTEGER TotalnumberofbytesinthereconstructedTCPpayloadsentbytheinitiatorofthisconnection
SrcPayload STRING ReconstructedTCPpayloadsentbytheinitiatorofthisconnection
DstMAC STRING MACaddressofthereceiverofthisconnection
DstIP STRING IPaddressofthereceiverofthisconnection
DstPort INTEGER TCPportnumberofthereceiverofthisconnection
DstPayloadBytes INTEGER TotalnumberofbytesinthereconstructedTCPpayloadsentbythereceiverofthisconnection
DstPayload STRING ReconstructedTCPpayloadsentbythereceiverofthisconnection
Page 329
©2004MicrosoftCorporation.Allrightsreserved.
Page 330
NETMONInputFormatParametersTheNETMONinputformatsupportsthefollowingparameters:
fMode
Values: TCPIP|TCPConn
Default: TCPIP
Description: Operationmode.
Details: Whenthisparameterissetto"TCPIP",theNETMONinputformatreturnsaninputrecordforeachTCP/IPpacketfoundinthecapturefile.Inthiscase,inputrecordscontainfieldsfromtheTCPandIPpacketheaders,togethereachpacket.Whenthisparameterissetto"TCPConn",theNETMONinputformatreturnsaninputrecordforeachTCPconnectionfoundinthecapturefile.Inthiscase,inputrecordscontainfieldscalculatedbyaggregatingalltheTCPpacketsconnection,includingthereconstructedpayloadsentbybothendpoints.Formoreinformationonthedifferentmodesofoperation,seeFormatFields.
Example: -fMode:TCPConnbinaryFormat
Values: ASC|PRINT|HEX
Default: ASC
Description: Formatofbinaryfields.
Details: TCPpacketpayloadsarereturnedasSTRINGvaluesformattedaccordingtothevaluespecifiedforthisparameter.Whenthisparameterissetto"ASC",databytesbelongingtothe0x20-0x7FrangearereturnedasASCIIcharacters,whiledatabytesoutsidetherangearereturnedasperiod(.)characters,asshowninthefollowingexample:
Page 331
POST/test_system/requestHTTP/1.1..Content-Length:3411..Connection:Keep-Alive..
Whenthisparameterissetto"PRINT",databytesrepresentingprintableASCIIcharactersarereturnedasASCIIcharacters,whiledatabytesthatdonotrepresentprintableASCIIcharactersarereturnedasperiod(.)characters,asshowninthefollowingexample:
POST/test_system/requestHTTP/1.1Content-Length:3411Connection:Keep-AliveWhenthisparameterissetto"HEX",alldatabytesarereturnedastwo-digithexadecimalvalues,asshowninthefollowingexample:
504F5354202F63636D5F73797374656D2F7265717565737420485454502F312E310D0A
Example: -binaryFormat:PRINT
©2004MicrosoftCorporation.Allrightsreserved.
Page 332
NETMONInputFormatExamplesNetworkTrafficperSecondDisplaytotalnetworktrafficbytespersecond:
LogParser"SELECTQUANTIZE(DateTime,1)ASSecond,SUM(FrameBytes)INTODATAGRIDFROMMyCapture.capGROUPBYSecond"
©2004MicrosoftCorporation.Allrightsreserved.
Page 333
REGInputFormatTheREGinputformatreturnsinformationonregistryvalues.
TheREGinputformatenumerateslocalorremoteregistrykeysandvalues,returninganinputrecordforeachregistryvaluefoundintheenumeration.
From-EntitySyntaxFieldsParametersExamples
Seealso:FSInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 334
REGInputFormatFrom-EntitySyntax<from-entity> ::= <registry_key>[,<registry_key>...]
<registry_key> ::= [\\<computer_name>]\[<root_name>[\<subkey_path>]]
<root_name> ::= HKCR|HKCU|HKLM|HKCC|HKU
The<from-entity>specifiedinqueriesusingtheREGinputformatisacomma-separatedlistofregistrykeys.Validregistrykeysare:
Theregistryroot(e.g."\");Asystemregistryroot(e.g."\HKLM");Anykeybelowasystemregistryroot(e.g."\HKLM\Software\Microsoft").
RegistrykeyscanbeoptionallyprecededbyaremotecomputernameintheUNCnotation.
Examples:
FROM\
FROM\HKLM,\HKCU
FROM\\SERVER1\HKLM\Software,\\SERVER2\HKLM\Software
©2004MicrosoftCorporation.Allrightsreserved.
Page 335
REGInputFormatFieldsTheinputrecordsgeneratedbytheREGinputformatcontainthefollowingfields:
Name Type Description
ComputerName STRING Nameofthecomputerhostingtheregistrycontainingthisvalue
Path STRING Pathoftheregistrykeycontainingthisvalue
KeyName STRING Nameoftheregistrykeycontainingthisvalue
ValueName STRING Nameoftheregistryvalue
ValueType STRING Nameofthetypeoftheregistryvalue
Value STRING Textrepresentationofthecontentoftheregistryvalue
LastWriteTime TIMESTAMP Dateandtimeatwhichtheregistryvaluehasbeenlastmodified(UniversalTimeCoordinates(UTC)time)
©2004MicrosoftCorporation.Allrightsreserved.
Page 336
REGInputFormatParametersTheREGinputformatsupportsthefollowingparameters:
recurse
Values: recursionlevel(number)
Default: -1
Description: Maxsubkeyrecursionlevel.
Details: 0disablessubkeyrecursion;-1enablesunlimitedrecursion.
Example: -recurse:2multiSZSep
Values: anystring
Default: |
Description: SeparatorbetweenelementsofMULTI_SZregistryvalues.
Details: RegistryvaluesoftheMULTI_SZtypecontainarraysofstrings.Inthesecases,thecontentofthe"Value"fieldisbuiltbyconcatenatingthearrayelementsoneaftertheother,usingthevalueofthisparameterasaseparatorbetweentheelements.
Example: -multiSZSep:,binaryFormat
Values: ASC|PRINT|HEX
Default: ASC
Description: FormatofREG_BINARYregistryvalues.
Details: RegistryvaluesoftheREG_BINARYtypecontainbinarydataoftennotsuitabletobetextuallyrepresented.Thisparameterspecifies
Page 337
howbinarydataisformattedtoaSTRINGwhenreturnedascontentofthe"Value"field.Whenthisparameterissetto"ASC",databytesbelongingtothe0x20-0x7FrangearereturnedasASCIIcharacters,whiledatabytesoutsidetherangearereturnedasperiod(.)characters,asshowninthefollowingexample:
Bucket:02096553..rundll32.exe
Whenthisparameterissetto"PRINT",databytesrepresentingprintableASCIIcharactersarereturnedasASCIIcharacters,whiledatabytesthatdonotrepresentprintableASCIIcharactersarereturnedasperiod(.)characters,asshowninthefollowingexample:
Bucket:02096553rundll32.exeWhenthisparameterissetto"HEX",alldatabytesarereturnedastwo-digithexadecimalvalues,asshowninthefollowingexample:
4275636B65743A2030323039363535330D0A72756E646C6C33322E657865
Example: -binaryFormat:PRINT
©2004MicrosoftCorporation.Allrightsreserved.
Page 338
REGInputFormatExamplesUploadRegistrytoSQLTableLoadaportionoftheregistryintoaSQLtable:
LogParser"SELECT*INTOMyTableFROM\HKLM"-i:REG-o:SQL-server:MyServer-database:MyDatabase-driver:"SQLServer"-username:TestSQLUser-password:TestSQLPassword-createTable:ON
RegistryTypeDistributionDisplaythedistributionofregistryvaluetypes:
LogParser"SELECTValueType,COUNT(*)INTODATAGRIDFROM\HKLMGROUPBYValueType"
©2004MicrosoftCorporation.Allrightsreserved.
Page 339
TEXTLINEInputFormatTheTEXTLINEinputformatreturnslinesfromgenerictextfiles.
TheTEXTLINEinputformatmakesitpossibletoparsetextfilesinanyformatnotsupportednativelybyLogParser,andretrieveentirelinesoftextasasinglefield.ThefieldcanthenbeprocessedbytheSQL-likequerybymakinguseofstringmanipulationfunctions,suchastheEXTRACT_TOKENfunction.
From-EntitySyntaxFieldsParametersExamples
Seealso:TEXTWORDInputFormatTSVInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 340
TEXTLINEInputFormatFrom-EntitySyntax<from-entity> ::= <filename>[,<filename>...]|
http://<url>|STDIN
The<from-entity>specifiedinqueriesusingtheTEXTLINEinputformatiseither:
Acomma-separatedlistofpathstotextfiles,eventuallyincludingwildcards;TheURLofatextfile;The"STDIN"keyword,whichspecifiesthattheinputdataisavailablefromtheinputstream(commonlyusedwhenpipingcommandexecutions).
Examples:
FROM*.txt,\\MyServer\FileShare\*.tsv
FROMhttp://www.microsoft.adatum.com/example.tsv
typedata.txt|LogParser"SELECT*FROMSTDIN"-i:TEXTLINE
©2004MicrosoftCorporation.Allrightsreserved.
Page 341
TEXTLINEInputFormatFieldsTheinputrecordsgeneratedbytheTEXTLINEinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthefilecontainingthisline
Index INTEGER Linenumber
Text STRING Textlinecontent
©2004MicrosoftCorporation.Allrightsreserved.
Page 342
TEXTLINEInputFormatParametersTheTEXTLINEinputformatsupportsthefollowingparameters:
iCodepage
Values: codepageID(number)
Default: 0
Description: Codepageofthetextfile.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -iCodepage:1245recurse
Values: recursionlevel(number)
Default: 0
Description: Maxsubdirectoryrecursionlevel.
Details: 0disablessubdirectoryrecursion;-1enablesunlimitedrecursion.
Example: -recurse:-1splitLongLines
Values: ON|OFF
Default: OFF
Description: Splitlineswhenlongerthanmaximumallowed.
Details: Whenatextlineislongerthan128Kcharacters,theTEXTLINEinputformattruncatesthelineandeitherdiscardstheremainingoftheline(whenthisparameterissetto"OFF"),orprocessestheremainderoftheline
Page 343
asanewline(whenthisparameterissetto"ON").
Example: -dQuotes:ONiCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessnewlogentriesthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 344
TEXTLINEInputFormatExamplesHTMLLinksReturnthelinesinanHTMLdocumentthatcontainlinkstootherpages:
LogParser"SELECTTextFROMhttp://www.microsoft.adatum.comWHERETextLIKE'%href%'"-i:TEXTLINE
©2004MicrosoftCorporation.Allrightsreserved.
Page 345
TEXTWORDInputFormatTheTEXTWORDinputformatreturnswordsfromgenerictextfiles.
TheTEXTWORDinputformatmakesitpossibletoparsetextfilesinanyformatnotsupportednativelybyLogParser,andretrieveeachword(i.e.eachstringdelimitedbywhitespacecharacters)asasinglefield.
From-EntitySyntaxFieldsParametersExamples
Seealso:TEXTLINEInputFormatTSVInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 346
TEXTWORDInputFormatFrom-EntitySyntax<from-entity> ::= <filename>[,<filename>...]|
http://<url>|STDIN
The<from-entity>specifiedinqueriesusingtheTEXTWORDinputformatiseither:
Acomma-separatedlistofpathstotextfiles,eventuallyincludingwildcards;TheURLofatextfile;The"STDIN"keyword,whichspecifiesthattheinputdataisavailablefromtheinputstream(commonlyusedwhenpipingcommandexecutions).
Examples:
FROM*.txt,\\MyServer\FileShare\*.tsv
FROMhttp://www.microsoft.adatum.com/example.tsv
typedata.txt|LogParser"SELECT*FROMSTDIN"-i:TEXTWORD
©2004MicrosoftCorporation.Allrightsreserved.
Page 347
TEXTWORDInputFormatFieldsTheinputrecordsgeneratedbytheTEXTWORDinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthefilecontainingthisword
Index INTEGER Wordnumber
Text STRING Word
©2004MicrosoftCorporation.Allrightsreserved.
Page 348
TEXTWORDInputFormatParametersTheTEXTWORDinputformatsupportsthefollowingparameters:
iCodepage
Values: codepageID(number)
Default: 0
Description: Codepageofthetextfile.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -iCodepage:1245recurse
Values: recursionlevel(number)
Default: 0
Description: Maxsubdirectoryrecursionlevel.
Details: 0disablessubdirectoryrecursion;-1enablesunlimitedrecursion.
Example: -recurse:-1iCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessnewlogentriesthathavebeenloggedsincethelastexecution.Formoreinformation,
Page 349
seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 350
TEXTWORDInputFormatExamplesWordDistributionReturnthedistributionofwordsinthespecifiedtextfile:
LogParser"SELECTText,COUNT(*)FROMMyFile.txtGROUPBYTextORDERBYCOUNT(*)DESC"-i:TEXTWORD
©2004MicrosoftCorporation.Allrightsreserved.
Page 351
TSVInputFormatTheTSVinputformatparsestab-separatedandspace-separatedvaluestextfiles.
TSVtextfiles,usuallycalled"tabular"files,aregenerictextfilescontainingvaluesseparatedbyeitherspacesortabs.Thisitalsotheformatoftheoutputofmanycommand-linetools.Forexample,theoutputofthe"netstat"toolisaseriesoflines,eachlineconsistingofvaluesseparatedbyspaces:
ActiveConnections
ProtoLocalAddressForeignAddressStateTCPGABRIEGI-M:epmapGABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGTCPGABRIEGI-M:microsoft-dsGABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGTCPGABRIEGI-M:1025GABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGTCPGABRIEGI-M:1036GABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGTCPGABRIEGI-M:3389GABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGTCPGABRIEGI-M:5000GABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGTCPGABRIEGI-M:42510GABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGTCPGABRIEGI-M:netbios-ssnGABRIEGI-M.redmond.corp.microsoft.com:0LISTENINGUDPGABRIEGI-M:microsoft-ds*:*UDPGABRIEGI-M:isakmp*:*UDPGABRIEGI-M:1026*:*UDPGABRIEGI-M:1027*:*UDPGABRIEGI-M:1028*:*UDPGABRIEGI-M:ntp*:*
Dependingontheapplication,thefirstlineinaTSVfilemightbea"header",containingthelabelsoftherecordfields.ThefollowingexampleshowsaTSVfilebeginningwithaheader:
YearPIDComment2004 2956 Applicationstarted2004 Waitingforinput2004 3104 Applicationstarted2004 1048 ApplicationstartedAmongalltheparameterssupportedbytheTSVinputformat,theiSeparator,nSep,andfixedSepparametersplayacrucialroleinprovidingtheflexibilityoftheTSVinputformatontheformatofthefilesbeingparsed.
TheiSeparatorparameterspecifiesthecharacterusedasaseparatorbetweenthefieldsinthefilesbeingparsed.Sometextfiles,likethepreviousnetstatexample,usesimplespacecharactersasseparatorcharacters,whileothertextfiles,likethesecondexampleabove,usetabcharacters.
ThenSepparameterspecifieshowmanyseparatorcharactersmustappearforthecharacterstosignifyafieldseparator.Inthenetstatexampleabove,fieldsareseparatedbyatleasttwospacecharacters,whileasinglespacecharacterisallowedtoappearinthevalueofafield(asisthecasewiththe"LocalAddress"fieldname).Ontheotherhand,intheprevioustab-separatedexamplefile,fieldsare
Page 352
UDPGABRIEGI-M:1900*:*UDPGABRIEGI-M:ntp*:*UDPGABRIEGI-M:netbios-ns*:*UDPGABRIEGI-M:netbios-dgm*:*UDPGABRIEGI-M:1900*:*UDPGABRIEGI-M:42508*:*
separatedbyasingletabcharacter.
ThefixedSepparameterspecifieswhetherornotthefieldsintheinputfilesareseparatedbyafixednumberofseparatorcharacters.Inthenetstatexampleabove,fieldsareseparatedbyatleasttwospacecharacters,butthreeormorespacecharactersstillsignifyasinglefieldseparator.Ontheotherhand,intheprevioustab-separatedexamplefile,fieldsareseparatedbyexactlyasingletabcharacter,andthepresenceoftwoconsecutivetabcharacterssignifiesanemptyfield.
From-EntitySyntaxFieldsParametersExamples
Seealso:CSVInputFormatTSVOutputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 353
TSVInputFormatFrom-EntitySyntax<from-entity> ::= <filename>[,<filename>...]|
http://<url>|STDIN
The<from-entity>specifiedinqueriesusingtheTSVinputformatiseither:
Acomma-separatedlistofpathsofTSVfiles,eventuallyincludingwildcards;TheURLofafileintheTSVformat;The"STDIN"keyword,whichspecifiesthattheinputdataisavailablefromtheinputstream(commonlyusedwhenpipingcommandexecutions).
Examples:
FROMLogFiles1\*.txt,LogFiles2\*.txt,\\MyServer\FileShare\*.txt
FROMhttp://www.microsoft.adatum.com/MyTSVFiles/example.tsv
typedata.tsv|LogParser"SELECT*FROMSTDIN"-i:TSV
©2004MicrosoftCorporation.Allrightsreserved.
Page 354
TSVInputFormatFieldsThestructureoftheinputrecordsgeneratedbytheTSVinputformatisdeterminedatruntime,dependingonthedatabeingparsed,andonthevaluesspecifiedfortheinputformatparameters.
Thefirsttwoinputrecordfieldsarefixed,andtheyaredescribedinthefollowingtable:
Name Type Description
Filename STRING Fullpathofthefilecontainingthisentry
RowNumber INTEGER Lineinthefilecontainingthisentry
ThesetwofieldsarethenfollowedbythefieldsdetectedbytheTSVinputformatinthefile(s)beingparsed.Thenumber,names,anddatatypesofthefieldsaredeterminedbyexamininginitiallytheinputdataaccordingtothevaluesspecifiedfortheinputformatparameters.
ThenumberoffieldsdetectedbytheTSVinputformatduringtheinitialinspectionphasedictateshowtherecordfieldswillbeextractedfromtheinputdataduringthesubsequentparsingstage.Ifalinecontainslessfieldsthanthenumberoffieldsestablished,themissingfieldsarereturnedasNULLvalues.Ontheotherhand,ifalinecontainsmorefieldsthanthenumberoffieldsestablished,theextrafieldsareparsedasiftheywerepartofthevalueofthelastfieldexpectedbytheTSVinputformat.
NumberofFieldsThenumberoffieldsinaninputrecordisdeterminedbytheinputdataandbythevalueofthenFieldsparameter.
Whenthe"nFields"parameterissetto-1,theTSVinputformatdeterminesthenumberoffieldsbyinspectingthefirstlineoftheinput
Page 355
data,orthefirstlineoftheheaderfilespecifiedwiththe"iHeaderFile"parameter.Asanexample,thefollowingTSVfilecontainsavariablenumberoffields:
NameCityAreaCodeJeffRedmond425SteveSeattle20698101EdwardOlympia360Whenparsedwiththe"nFields"parametersetto-1,thisTSVfilewouldyieldthreefields("Name","City",and"AreaCode").Inthiscase,theextrafourthfieldinthesecondrecordwouldbeparsedaspartofthethird"AreaCode"field,whosevaluewouldthenbe"20698101".
Whenthe"nFields"parameterissettoavaluegreaterthanzero,theTSVinputformatusesthespecifiedvalueasthenumberoffieldsintheinputdata.Consideringagainthepreviousexamplefile,parsingthefilewiththe"nFields"parametersetto4wouldyieldfourfields.
FieldNamesThenamesofthefieldsinaninputrecordisdeterminedbytheinputdataandbythevaluesoftheheaderRowandiHeaderFileparameters.
Whenthe"headerRow"parameterissetto"ON",theTSVinputformatassumesthatthefirstlineinthefilebeingparsedisaheadercontainingthefieldnames.Inthiscase,ifthe"iHeaderFile"parameterisleftunspecified,theTSVinputformatextractsthefieldnamesfromtheheaderline.Ontheotherhand,ifthe"iHeaderFile"parameterissettothepathofaTSVfilecontainingatleastoneline,thentheTSVinputformatassumesthatthespecifiedfilecontainsaheader,parsesitsfirstlineonly,andextractsthefieldnamesfromthisline,ignoringthefirstlineofthefilebeingparsed.
Ifthenumberoffieldnamesextractedislessthanthenumberoffieldsdetected,theadditionalfieldsareautomaticallynamed"FieldN",withNbeingaprogressiveindexindicatingthefieldpositionintheinputrecord.
Consideringthepreviousexamplefile,settingthe"headerRow"
Page 356
parameterto"ON"wouldcausetheTSVinputformattousethefirstlineofthefileasaheadercontainingthefieldnames.Withthe"nFields"parametersetto-1,theTSVinputformatwoulddetectthreefields,whosenameswouldbe"Name","City",and"AreaCode".Ontheotherhand,withthe"nFields"parametersetto4,theTSVinputformatwoulddetectfourfields,named"Name","City","AreaCode",and"Field4".
Whenthe"headerRow"parameterissetto"OFF",theTSVinputformatassumesthatthefilebeingparseddoesnotcontainaheader,andthatitsfirstlineisthefirstdatarecordinthefile.Inthiscase,ifthe"iHeaderFile"parameterissettothepathofaTSVfilecontainingatleastoneline,thentheTSVinputformatassumesthatthespecifiedfilecontainsaheader,parsesitsfirstlineonly,andextractsthefieldnamesfromthisline.Ontheotherhand,ifthe"iHeaderFile"parameterisleftunspecified,thefieldsareautomaticallynamed"FieldN",withNbeingaprogressivenumberindicatingthefieldpositionintheinputrecord.
Asanexample,thefollowingTSVfiledoesnotcontainaheaderline:
JeffRedmond425SteveSeattle206EdwardOlympia360Whenparsedwiththe"headerRow"parameterto"OFF",theTSVinputformatassumesthatthefirstlineoftheTSVfileisthefirstdatarecordinthefile.Inthiscase,thethreefieldswouldbenamed"Field1","Field2",and"Field3".
FieldTypesThedatatypeofeachfieldextractedfromtheinputdataisdeterminedbyexaminingthefirstndatalines,wherenisthevaluespecifiedforthedtLinesparameter,inthefollowingway:Ifallthenon-emptyfieldvaluesinthefirstnlinesareformattedasdecimalnumbers,thenthefieldisassumedtobeoftheREALtype.Ifallthenon-emptyfieldvaluesinthefirstnlinesareformattedasintegernumbers,thenthefieldisassumedtobeoftheINTEGERtype.Ifallthenon-emptyfieldvaluesinthefirstnlinesareformattedas
Page 357
timestampsintheformatspecifiedbytheiTsFormatparameter,thenthefieldisassumedtobeoftheTIMESTAMPtype.Otherwise,thefieldisassumedtobeoftheSTRINGtype.
EmptyfieldvaluesarereturnedasNULLvalues.
©2004MicrosoftCorporation.Allrightsreserved.
Page 358
TSVInputFormatParametersTheTSVinputformatsupportsthefollowingparameters:
iSeparator
Values: asinglecharacter|spaces|space|tab
Default: tab
Description: Separatorcharacterbetweenfields.
Details: The"spaces"valueinstructstheTSVinputformattoconsideranyspacingcharacter(spaceandtab)asaseparatorcharacter.
Example: -iSeparator:spacenSep
Values: numberofseparators(number)
Default: 1
Description: Numberofseparatorcharactersbetweenfieldsinthedatarecords.
Details: Thisparameterspecifieshowmanyseparatorcharactersmustappearforthecharacterstosignifyafieldseparator.Thisparameterisusuallysettoavaluegreaterthanonewhenparsingspace-separatedtextfilesinwhichfieldvaluescancontainasinglespacecharacter.Inthesecases,fieldsareusuallyseparatedbymorethanasinglespacecharacter.Whenthe"fixedSep"parameterissetto"OFF",thevalueofthe"nSep"parameterisassumedtobetheminimumnumberofseparatorcharacterssignifyingafieldseparator.
Page 359
Example: -nSep:2fixedSep
Values: ON|OFF
Default: OFF
Description: SpecifieswhetherornotthefieldsintheinputTSVfile(s)areseparatedbyafixednumberofseparatorcharacters.
Details: Whenthisparameterissetto"ON",theTSVinputformatassumesthatthenumberofseparatorcharactersbetweenthefieldsintheinputdataequalsexactlythevaluespecifiedforthe"nSep"parameter.Inthiscase,thepresenceofmoreseparatorcharacterssignifiesanemptyvalue,whichisreturnedasaNULLvalue.Whenthisparameterissetto"OFF",theTSVinputformatassumesthatthefieldsintheinputdataareseparatedbyavariablenumberofseparatorcharacters,andthevalueofthe"nSep"parameterisassumedtobetheminimumnumberofseparatorcharacterssignifyingafieldseparator.Inthiscase,additionalseparatorcharactersareignoredandparsedasasinglefieldseparator,thusmakingitimpossibleforavaluetobeinterpretedasaNULLvalue.
Example: -fixedSep:ONheaderRow
Values: ON|OFF
Default: ON
Description: Specifieswhetherornottheinputfile(s)beginwithaheaderline.
Page 360
Details: Whenthisparameterissetto"ON",theTSVinputformatassumesthateachfilebeingparsedbeginswithaheaderline,containingthelabelsofthefieldsinthefile.Ifthe"iHeaderFile"parameterisleftunspecified,theTSVinputformatwillusethefieldnamesinthefirstfile'sheaderasthenamesoftheinputrecordfields.Ifavalueisspecifiedforthe"iHeaderFile"parameter,theTSVinputformatwillignoretheheaderlineineachfilebeingparsed.Whenthisparameterissetto"OFF",theTSVinputformatassumesthatthefile(s)beingparseddonotcontainaheader,andparsestheirfirstlineasdatarecords.Formoreinformationonheadersandfieldnames,seeTSVInputFormatFields.
Example: -headerRow:OFFiHeaderFile
Values: pathtoaTSVfile
Default: notspecified
Description: Filecontainingfieldnames.
Details: WhenparsingTSVfilesthatdonotcontainaheaderline,thefieldsoftheinputrecordsproducedbytheTSVinputformatarenamed"Field1","Field2",...Tooverridethisbehaviorandusemeaningfulfieldnames,thisparametercanbesettotothepathofaTSVfilecontainingaheaderline,causingtheTSVinputformattousethefieldnamesinthespecifiedTSVfile'sheaderlineasthenamesoftheinputrecordfields.OnlythefirstlineofthespecifiedTSVfileisparsed,andeventualadditionallinesareignored.Formoreinformationonheadersandfieldnames,seeTSVInputFormatFields.
Page 361
Example: -iHeaderFile:"C:\MyFolder\header.tsv"nFields
Values: numberoffields(number)
Default: -1
Description: Numberoffieldsinthedatarecords.
Details: Thisparameterspecifiesthenumberoffieldsintheinputdata.Thespecial"-1"valuespecifiesthatthenumberoffieldsistobedeductedbyinspectingthefirstlineofinputdata.Formoreinformationonhowthenumberoffieldsisdetermined,seeTSVInputFormatFields.
Example: -nFields:3dtLines
Values: numberoflines(number)
Default: 100
Description: Numberoflinesexaminedtodeterminefieldtypesatruntime.
Details: ThisparameterspecifiesthenumberofinitiallinesthattheTSVinputformatexaminestodeterminethedatatypeofeachinputfield.Ifthevalueis0,allfieldswillbeassumedtobeoftheSTRINGdatatype.Formoreinformationonhowfielddatatypesaredetermined,seeTSVInputFormatFields.
Example: -dtLines:10nSkipLines
Page 362
Values: numberoflines(number)
Default: 0
Description: Numberofinitiallinestoskip.
Details: Whenthisparameterissettoavaluegreaterthanzero,theTSVinputformatskipsthefirstnlinesofeachinputfilebeforeparsingitsheaderline,wherenisthevaluespecifiedforthisparameter.
Example: -nSkipLines:5lineFilter
Values: +|-<any_string>[,<any_string>...]
Default: notspecified
Description: Skiporconsideronlylinesbeginningwiththesestrings.
Details: Whenthevalueofthisparameterbeginswitha"+"character,theTSVinputformatwillonlyparsethoselinesbeginningwithoneofthestringsfollowingthe"+"characterinthespecifiedvalue.Forexample,thevalue"+Data:,Summary:"causestheTSVinputformattoparseonlylinesbeginningwitheither"Data:"or"Summary:".Whenthevalueofthisparameterbeginswitha"-"character,theTSVinputformatwillignorethoselinesbeginningwithoneofthestringsthatfollowthe"-"characterinthespecifiedvalue.Forexample,thevalue"-Comment,Marker"causestheTSVinputformattoignorelinesbeginningwitheither"Comment"or"Marker".
Example: -lineFilter:"-MetaData:,Summary:"iCodepage
Page 363
Values: codepageID(number)
Default: 0
Description: CodepageoftheTSVfile.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -iCodepage:1245iTsFormat
Values: timestampformat
Default: yyyy-MM-ddhh:mm:ss
Description: Formatoftimestampvaluesintheinputdata.
Details: Thisparameterspecifiesthedateand/ortimeformatusedintheinputdatabeingparsed.ValuesoffieldsmatchingthespecifiedformatarereturnedasvaluesoftheTIMESTAMPdatatype.Formoreinformationondateandtimeformats,seeTimestampFormatSpecifiers.
Example: -iTsFormat:"MMMdd,yyyy"iCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessneweventsthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example:
Page 364
-iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 365
TSVInputFormatExamplesNetStatoutputParsetheoutputofa'netstat'command:
netstat-a|LogParser"SELECT*FROMSTDIN"-i:TSV-iSeparator:space-nSep:2-fixedSep:OFF-nSkipLines:3
©2004MicrosoftCorporation.Allrightsreserved.
Page 366
URLSCANInputFormatTheURLSCANinputformatparseslogfilescreatedbytheURLScanIISfilter.
URLScanisanISAPIfilterthatallowsadministratorsofwebserverstorestrictthekindofHTTPrequeststhattheserverwillprocess.ByblockingspecificHTTPrequests,theURLScanfilterpreventspotentiallyharmfulrequestsfromreachingtheserverandcausingdamage.TheURLScanfiltermaintainsalogfiledescribingtheactionstakenwhenHTTPrequestsmatchtheadministrator-specifiedfilters.
LogfilescreatedbytheURLScanfilterlooklikethefollowingexample:
[04-30-2002-17:09:48]----------------InitializingUrlScan.log----------------[04-30-2002-17:09:48]--Filterinitializationtime:[04-30-2002-17:09:48]--[04-30-2002-17:09:48]----------------UrlScan.dllInitializing----------------[04-30-2002-17:09:49]UrlScanwillreturnthefollowingURLforrejectedrequests:"/<Rejected-By-UrlScan>"[04-30-2002-17:09:49]URLswillbenormalizedbeforeanalysis.[04-30-2002-17:09:49]URLnormalizationwillbeverified.[04-30-2002-17:09:49]URLsmustcontainonlyANSIcharacters.[04-30-2002-17:09:49]URLsmustnotcontainanydotexceptforthefileextension.[04-30-2002-17:09:49]URLswillbeloggedupto128Kbytes.[04-30-2002-17:09:49]RequestswithContent-Lengthexceeding30000000willberejected.[04-30-2002-17:09:49]RequestswithURLlengthexceeding260willberejected.[04-30-2002-17:09:49]RequestswithQueryStringlengthexceeding4096willberejected.[04-30-2002-17:09:49]Onlythefollowingverbswillbeallowed(casesensitive):[04-30-2002-17:09:49]'GET'[04-30-2002-17:09:49]Requestscontainingthefollowingcharactersequenceswillberejected:
From-EntitySyntaxFieldsParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 367
[04-30-2002-17:09:49]'jj'[04-30-2002-17:10:08]Clientat192.168.1.81:URLcontainssequence'jj',whichisdisallowed.Requestwillberejected.SiteInstance='1',RawURL='/jj/LogLongUrlsTest_2_124_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'[04-30-2002-17:10:08]Clientat192.168.1.81:URLlengthexceededmaximumallowed.Requestwillberejected.SiteInstance='1',RawURL='/jj/LogLongUrlsTest_2_800_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'[04-30-2002-17:10:09]Clientat192.168.1.81:URLlengthexceededmaximumallowed.Requestwillberejected.SiteInstance='1',RawURL='/jj/LogLongUrlsTest_2_1000_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
Page 368
URLSCANInputFormatFrom-EntitySyntax<from-entity> ::= URLSCAN|
<filename>[,<filename>...]
The<from-entity>specifiedinqueriesusingtheURLSCANinputformatiseitherthe"URLSCAN"keywordoracomma-separatedlistofpathsofURLScanlogfiles.Whenthe"URLSCAN"keywordisused,theURLSCANinputformatextractstheURLScanlogconfigurationparametersfromtheUrlScan.iniconfigurationfileandparsesalltheURLScanlogfilescurrentlyavailableintheURLScanlogfiledirectory.
Filenamescanincludewildcards(e.g."URLSCAN\UrlScan*.log").
Examples:
FROMURLSCAN\UrlScan1.log,URLSCAN\UrlScan2.log
FROM\\MYMACHINE\URLSCAN\UrlScan*.log
FROMURLSCAN
©2004MicrosoftCorporation.Allrightsreserved.
Page 369
URLSCANInputFormatFieldsTheinputrecordsgeneratedbytheURLSCANinputformatcontainthefollowingfields:
Name Type Description
LogFilename STRING Fullpathofthelogfilecontainingthisentry
LogRow INTEGER Lineinthelogfilecontainingthisentry
Date TIMESTAMP Thedateandtimeatwhichtherequestwasserved(localtime)
ClientIP STRING TheIPaddressoftheclientthatmadetherequest
Comment STRING ThefilterthatmatchedtherequestandtheactionexecutedbyURLScan
SiteInstance INTEGER TheIISvirtualsiteinstancenumberthatservedtherequest
Url STRING TheHTTPrequesturl
©2004MicrosoftCorporation.Allrightsreserved.
Page 370
URLSCANInputFormatParametersTheURLSCANinputformatsupportsthefollowingparameters:
iCheckpoint
Values: checkpointfilename
Default: notspecified
Description: Loadandsavecheckpointinformationtothisfile.
Details: Thisparameterenablesthe"IncrementalParsing"featurethatallowssequentialexecutionsofthesamequerytoonlyprocessnewlogentriesthathavebeenloggedsincethelastexecution.Formoreinformation,seeParsingInputIncrementally.
Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
©2004MicrosoftCorporation.Allrightsreserved.
Page 371
URLSCANInputFormatExamplesClientssendingsuspiciousrequestsRetrievetheDNSnamesoftheclientsthatsentrequestsmatchingtheURLScanfilters:
LogParser"SELECTDISTINCTREVERSEDNS(ClientIP)FROMURLSCAN"
©2004MicrosoftCorporation.Allrightsreserved.
Page 372
W3CInputFormatTheW3CinputformatparseslogfilesintheW3CExtendedLogFileFormat.
Examplesoflogfilesinthisformatinclude:
PersonalFirewalllogfilesMicrosoftInternetSecurityandAccelerationServer(ISAServer)logfilesWindowsMediaServiceslogfilesExchangeTrackinglogfilesSimpleMailTransferProtocol(SMTP)logfiles
Logfilesinthisformatbeginwithsomeinformativeheaders("directives"),themostimportantofwhichisthe"#Fields"directive,describingwhichfieldsareloggedatwhichpositioninalogrow.Afterthedirectives,thelogentriesfollow.Eachlogentryisaspace-separatedlistoffieldvalues.
ThefollowingexampleshowsaportionofaPersonalFirewallW3CExtendedLogFileFormatlogfile:
#Verson:1.0#Software:MicrosoftInternetConnectionFirewall#TimeFormat:Local#Fields:datetimeactionprotocolsrc-ipdst-ipsrc-portdst-portsizetcpflagstcpsyntcpacktcpwinicmptypeicmpcodeinfo
2004-09-0307:11:54OPENUDP192.168.1.103192.168.1.108102653--------2004-09-0307:11:54OPENTCP192.168.1.101192.168.1.108300580--------2004-09-0307:11:55OPENTCP192.168.1.103192.168.1.1081104139--------2004-09-0307:11:55OPENTCP192.168.1.104192.168.1.1081103445--------
Note:DifferentlythantheIISW3Cinputformat,theW3Cinputformatdoesnotsupportlogfileswithvaryingnumberand/orpositionoffields.Inotherwords,whenparsingasetofW3Clogfiles,allthelogentriesinallthelogfilesmustbestructuredidenticallyasdeclaredbythefirst"#Fields"directiveencounteredinthefirstlogfile.
From-EntitySyntaxFieldsParametersExamples
Page 373
Seealso:IISW3CInputFormatW3COutputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 374
W3CInputFormatFrom-EntitySyntax<from-entity> ::= <filename>[,<filename>...]|
http://<url>|STDIN
The<from-entity>specifiedinqueriesusingtheW3Cinputformatiseither:
Acomma-separatedlistofpathsofW3CExtendedlogfiles,eventuallyincludingwildcards;TheURLofafileintheW3CExtendedLogFileFormat;The"STDIN"keyword,whichspecifiesthattheinputdataisavailablefromtheinputstream(commonlyusedwhenpipingcommandexecutions).
Examples:
FROMLogFiles1\pf*.log,LogFiles2\pf*.log,\\MyServer\LoggingShare\pf*.logFROMhttp://www.microsoft.adatum.com/MyLogFiles/example.log
typemylog.log|LogParser"SELECT*FROMSTDIN"-i:W3C
©2004MicrosoftCorporation.Allrightsreserved.
Page 375
W3CInputFormatFieldsThestructureoftheinputrecordsgeneratedbytheW3Cinputformatisdeterminedatruntime,dependingontheinputdata.
Thefirsttwoinputrecordfieldsarefixed,andtheyaredescribedinthefollowingtable:
Name Type Description
LogFilename STRING Fullpathofthelogfilecontainingthisentry
RowNumber INTEGER Lineinthelogfilecontainingthisentry
Followingthesetwofieldsareallthefieldsdeclaredbythefirst"#Fields"directiveencounteredintheinputdata.Thedatatypeofeachfieldextractedfromtheinputdataisdeterminedbyexaminingthefirstnlogentries,wherenisthevaluespecifiedforthedtLinesparameter,inthefollowingway:
Ifallthenon-emptyfieldvaluesinthefirstnlogentriesareformattedasdecimalnumbers,thenthefieldisassumedtobeoftheREALtype.Ifallthenon-emptyfieldvaluesinthefirstnlogentriesareformattedasintegernumbers,thenthefieldisassumedtobeoftheINTEGERtype.Ifallthenon-emptyfieldvaluesinthefirstnlogentriesareformattedastimestampsinthe"yyyy-MM-ddhh:mm:ss"format,thenthefieldisassumedtobeoftheTIMESTAMPtype.Inparticular,ifafieldvalueisformattedasadateinthe"yyyy-MM-dd"format,thenthevalueisreturnedasadate-onlyTIMESTAMPvalue.Ifthefieldvalueisformattedasatimeofdayinthe"hh:mm:ss"format,thenthevalueisreturnedasatime-onlyTIMESTAMPvalue.Otherwise,thefieldisassumedtobeoftheSTRINGtype.
Page 376
Emptyvalues,representedbyahyphen(-)intheW3CExtendedLogFileFormat,arereturnedasNULLvalues.
Asanexample,thefollowinghelpcommanddisplaystheinputrecordstructuredeterminedbytheW3CinputformatwhenparsingthespecifiedPersonalFirewalllogfile:
C:\>LogParser-h-i:W3Cpfirewall.log
Thestructuredisplayedbythishelpcommandwillbe:
Fields:
LogFilename(S)RowNumber(I)date(T)time(T)action(S)protocol(S)src-ip(S)dst-ip(S)src-port(I)dst-port(I)size(I)tcpflags(S)tcpsyn(I)tcpack(I)tcpwin(I)icmptype(S)icmpcode(S)info(S)
©2004MicrosoftCorporation.Allrightsreserved.
Page 377
W3CInputFormatParametersTheW3Cinputformatsupportsthefollowingparameters:
iCodepage
Values: codepageID(number)
Default: 0
Description: Codepageofthelogfile.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -iCodepage:1245dtLines
Values: numberoflines(number)
Default: 10
Description: Numberoflinesexaminedtodeterminefieldtypesatruntime.
Details: ThisparameterspecifiesthenumberofinitialloglinesthattheW3Cinputformatexaminestodeterminethedatatypeoftheinputrecordfields.Ifthevalueiszero,allfieldswillbeassumedtobeoftheSTRINGdatatype.Formoreinformationonhowfielddatatypesaredetermined,seeW3CInputFormatFields.
Example: -dtLines:50dQuotes
Values: ON|OFF
Default: OFF
Page 378
Description: Specifiesthatstringvaluesinthelogaredouble-quoted.
Details: SomeW3Clogfilesenclosestringvalueswithindouble-quotecharacters(").
Example: -dQuotes:ONseparator
Values: asinglecharacter|space|tab|auto
Default: auto
Description: Separatorcharacterbetweenfields.
Details: DifferentW3Clogfilescanusedifferentseparatorcharactersbetweenthefields;forexample,ExchangeTrackinglogfilesusetabcharacters,whilePersonalFirewalllogfilesusespacecharacters.The"auto"valueinstructstheW3Cinputformattodetectautomaticallytheseparatorcharacterusedintheinputlog(s).
Example: -separator:tab
©2004MicrosoftCorporation.Allrightsreserved.
Page 379
W3CInputFormatExamplesClientsSendingDroppedPacketsReturnalltheclientsthatsentapacketdroppedbyPersonalFirewall:
LogParser"SELECTDISTINCTsrc-ipFROMpfirewall.logWHEREaction='DROP'"-i:W3C
©2004MicrosoftCorporation.Allrightsreserved.
Page 380
XMLInputFormatTheXMLinputformatparsesXMLtextfiles.
XMLfiles(alsocalled"XMLdocuments")arehierarchiesofnodes.Nodescanincludeothernodes,andeachnodecanhaveanodevalueandasetofattributes.Forexample,thefollowingXMLnodehasavalue(inthisinstance,"Rome"),andasingleattribute("Population",whosevalueis,inthisexample,"3350000"):
<CITYPopulation='3350000'>Rome</CITY>
XMLdocumentscanbeparsedindifferentways,andtheXMLinputformatoffersthreedistinctusageswhoseapplicabilitydependsonthestructureofthedocuments,andonthestructureoftheinformationthatneedstobeextracted.
Note:TheXMLinputformatrequirestheMicrosoftXMLparser(MSXML)tobeinstalledonthecomputerrunningLogParser.
From-EntitySyntaxFieldsParametersExamples
Seealso:XMLOutputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 381
XMLInputFormatFrom-EntitySyntax<from-entity>
::= <document>[#<XPath>][,<document>[#<XPath>]...]
<document> ::= <filename>|<url>
The<from-entity>specifiedinqueriesusingtheXMLinputformatisacomma-separatedlistofpathsorURLsofXMLfiles.FilenamesorURLscanbeoptionallyfollowedbyanXPaththatspecifieswhichnode(s)inthedocumentaretobeconsideredrootnode(s).
Filenamescanincludewildcards(e.g."LogFiles\doc*.xml").
Examples:
FROMDocument1.xml,http://blogs.msdn.com/MainFeed.aspx
FROMDocument1.xml#/rss/channel/item,http://blogs.msdn.com/MainFeed.aspx#/rss/channel/item
©2004MicrosoftCorporation.Allrightsreserved.
Page 382
XMLInputFormatFieldsThestructureoftheinputrecordsgeneratedbytheXMLinputformatisdeterminedatruntime,dependingonthedocumentbeingparsed,andonthevaluesspecifiedfortheinputformatparameters.
TheXMLinputformatparsesanXMLdocumentby"visiting"thenodesinthedocument,andtheinputrecordfieldsaretheattributesandvaluesofthenodesthatarevisitedbytheXMLinputformat.
Bydefault,nodesarevisitedfromthedocumentroot,thatis,thesingletop-levelnodeinanXMLdocumentthatcontainsalltheothernodesinthedocument.However,bysupplyinganXPathineitherthefrom-entityorasavalueoftherootXPathparameter,userscanspecifythatthedocumentnodesaretobevisitedstartingfromthenode(s)selectedbytheXPath.
BeforeparsingtheXMLdocumentandreturntheinputrecords,theXMLinputformatinitiallyexaminesthenodesfoundalongthepathsfromtherootnodeorfromthenode(s)selectedbytheuser-suppliedrootXPathtothefirstnleafnodes,wherenisthevalueofthedtNodesparameter.Duringthisphase,theXMLinputformatcreatesarepresentationofthetreestructure("schema"tree)bymergingnodeswiththesamenameandhierarchicalposition.Whencompleted,theschematreecontainsonesingleinstanceofeachnodetype,andeachnodecontainsanattributesetequaltotheunionofalltheattributesfoundinthenodesofthattype.Atthismoment,aninputrecordfieldiscreatedforeachattributebelongingtoanodetypeandforeachnodetypehavingavalue.
Oncetheschematreehasbeendeterminedandtheinputrecordstructurehasbeencreated,theXMLinputformatparsestheXMLdocumentandgeneratesinputrecords,visitingthedocumentnodesandextractingtheirvaluesandattributes.TheXMLinputformatimplementsthreedifferentalgorithmstodecidehowdocumentnodeswillbevisited.ThethreealgorithmsrepresentthreedifferentwaysinwhichtheinformationcontainedinanXMLdocumentcanberetrieved,andthechoiceofanalgorithmdependsonthestructureofthedocumentandonthestructureoftheinformationthatneedstobe
Page 383
extracted.Sincedifferentalgorithmsvisitdifferentsetsofnodes,thechoiceofanalgorithmaffectswhichfields(i.e.whichnodeattributesandvalues)willbecontainedintheinputrecords.UserscanspecifythealgorithmtousethroughthefMode("fieldmode")parameter,whichcanbesetto"Branch","Tree",or"Node".
BranchFieldModeInthismode,inputrecordscontaintheattributesandvaluesofthenodesthatarevisitedalongallthepossiblepathsfromthedocumentrootorfromthenode(s)selectedbytheuser-suppliedrootXPathtoalltheleafnodes.
Thismodeisappropriatefordocumentsinwhicheachhierarchicallevelconsistsofnodesofthesametype,asdepictedinthefollowingdiagram:
Inthisstructure,therootnodecontainsonlynodesoftype"A",andeach"A"nodecontainsonlynodesoftype"B".Forexample,therootofthefollowingXMLdocumentcontains"Continent"nodesonly;each"Continent"nodecontains"Country"nodesonly,andeach"Country"nodecontains"City"nodesonly:
<?xmlversion="1.0"?><World>
<ContinentContinentName='NorthAmerica'>
<CountryCountryName='USA'><City>Redmond</City><City>SanFrancisco</City></Country>
Thisdocumentcanbethoughtofascontainingsix"entries",theleaf"City"nodes,withtheinformationassociatedwitheachentrybeingcontainedinthenodesthatareencounteredalongapathfromtherootnodetotheleafnode.Inthisexample,theinformationabout"Roma"includestheattributesandvalueofthe"City"node(the"Roma"nodevalueandthe"3350000"valueofits"Population"attribute),theattributesandvalueofitsparent
Page 384
<CountryCountryName='Canada'><City>Vancouver</City><City>Toronto</City></Country>
</Continent>
<ContinentContinentName='Europe'>
<CountryCountryName='Italia'><CityPopulation='3350000'>Roma</City><City>Milano</City></Country>
</Continent>
</World>
"Country"node(the"Italia"valueofthe"CountryName"attribute),andtheattributesandvalueofitsgrandparent"Continent"node(the"Europe"valueofthe"ContinentName"attribute).
Theschematreeextractedfromthisexampledocumentspecifiesthatthedocumentrootnodecontainsnodesofthe"Continent"type,andthatnodesofthistypehavea"ContinentName"attribute."Continent"nodes,inturn,containnodesofthe"Country"type,witha"CountryName"attribute;finally,"Country"nodescontainnodesofthe"City"type,andnodesofthistypehaveavalue,anda"Population"attribute.Theinputrecordsgeneratedaftertheschematreewouldthuscontainfourfields:"ContinentName","CountryName","City",and"Population".
Whenusingthe"Branch"fieldmode,theXMLinputformatgeneratesaninputrecordforeachpathfromthedocumentrootnodeorfromthenode(s)selectedbytheuser-suppliedrootXPathtoalltheleafnodes.Eachinputrecordcontainstheattributesandvaluesofthenodesencounteredalongthepath:
Record1 Record2
Record3 Record4
Page 385
Record5
Ifanodedoesnotspecifyanattributethatiscontainedintheattributesupersetofthecorrespondingschematreenode,orifanodedoesnotsupplyavaluewhilethecorrespondingschematreenodespecifiesthatatleastonenodeofthattypehasavalue,thenthecorrespondingfieldvalueissettoNULL.Forexample,parsingtheaboveexampleXMLdocumentin"Branch"fieldmodewouldproducethefollowingoutput:
ContinentNameCountryNameCityPopulation-----------------------------------------------NorthAmericaUSARedmond-NorthAmericaUSASanFrancisco-NorthAmericaCanadaVancouver-NorthAmericaCanadaToronto-EuropeItaliaRoma3350000EuropeItaliaMilano-
TreeFieldModeInthismode,inputrecordscontaintheattributesandvaluesofthenodesfoundinsubtreesthatincludeallnodesofdistincttypes.
Thismodeisappropriatefordocumentsinwhichaspecifichierarchicallevelcontainschildnodesallhavingdifferenttypes,asdepictedinthefollowingdiagram:
Inthisstructure,therootnodecontainsonlynodesoftype"A";each"A"nodehowevercontainsnodesallhavingdifferenttypes(asingle"B"
Page 386
node,asingle"C"node,andasingle"D"node).Forexample,therootofthefollowingXMLdocumentcontains"Message"nodes;each"Message"nodecontainsasingle"From"node,asingle"To"node,andasingle"Body"node:
<?xmlversion="1.0"?><Messages>
<MessageDate='2004-05-28T12:24:05'><From>Gabriele</From><To>Monica</To><Body>How'sgoing?</Body></Message>
<MessageDate='2004-05-28T13:01:14'><From>Monica</From><To>Gabriele</To><Body>Fine,thanks.</Body></Message>
</Messages>
Thisdocumentcanbethoughtofascontainingtwo"entries",the"Message"subtrees,withtheinformationassociatedwitheachentrybeingcontainedinallthenodesinthesubtreeandinthenodesthatareencounteredalongapathfromtherootnodetothesubtreeroot.Inthisexample,theinformationaboutamessageincludestheattributesandvaluesofallthenodesincludedinthesubtree("From","To",and"Body"nodes),andtheattributesandvaluesofallthenodesencounteredalongthepathfromthedocumentroottothesubtreeroot("Date"attributeofthe"Message"node).
Theschematreeextractedfromthisexampledocumentspecifiesthatthedocumentrootnodecontainsnodesofthe"Message"type,andthatnodesofthistypehavea"Date"attribute."Message"nodes,inturn,containnodesofthe"From","To",and"Body"types,eachtypehavinganodevalue.Theinputrecordsgeneratedaftertheschematreewouldthuscontainfourfields:"Date","From","To",and"Body".
Whenusingthe"Tree"fieldmode,theXMLinputformatgeneratesaninputrecordforeachsubtreethatincludesallnodesofdistincttypes.Eachinputrecordcontainstheattributesandvaluesofthenodesfoundinthesubtrees,togetherwiththeattributesandvaluesofthenodesencounteredalongthepathsfromthedocumentrootnodeorfromthenode(s)selectedbytheuser-suppliedrootXPathtothesubtreerootnodes:
Page 387
Record1 Record2
Forexample,parsingtheaboveexampleXMLdocumentin"Tree"fieldmodewouldproducethefollowingoutput:
DateFromToBody------------------------------------------------2004-05-2812:24:05GabrieleMonicaHow'sgoing?2004-05-2813:01:14MonicaGabrieleFine,thanks.WhileparsinganXMLdocumentin"Tree"mode,ifasubtreeisfoundcontainingmultipleinstancesofthesamenodetype,thatsubtreeis"replicated"combinatoriallytogenerateallthepossiblesubtreescontainingonesingleinstanceofeachnodetype.ThefollowingdiagramdepictsanXMLdocumentinwhichasubtreecontainsmultipleinstancesofthesamenodetype:
Inthisdiagram,the"A"nodecontainsoneinstanceofthe"B"nodetype,twoinstancesofthe"C"nodetype,andtwoinstancesofthe"D"notetype.Forexample,the"Message"nodeinthefollowingXMLdocumentcontainsasingle"From"node,two"To"nodes,andtwo"Body"nodes:
<?xmlversion="1.0"?><Messages>Thisdocumentcanbethoughtofasa"compact"representationoffour
Page 388
<MessageDate='2004-05-28T12:24:05'><From>Gabriele</From><To>Jeff</To><To>Steve</To><BodyLanguage='ENU'>Reviewready?</Body><BodyLanguage='ITA'>E'prontalareview?</Body></Message>
</Messages>
differentmessages:From"Gabriele"to"Jeff"inthe"ENU"language;From"Gabriele"to"Jeff"inthe"ITA"language;From"Gabriele"to"Steve"inthe"ENU"language;From"Gabriele"to"Steve"inthe"ITA"language;
Whenusingthe"Tree"fieldmode,these"Message"subtreesarereplicatedcombinatoriallytogenerateallthepossiblesubtreescontainingonesingleinstanceofeachofthe"From","To",and"Body"nodetypes:
Record1 Record2
Record3 Record4
Forexample,parsingtheaboveexampleXMLdocumentin"Tree"fieldmodewouldproducethefollowingoutput:
DateFromToBodyLanguage------------------------------------------------------------2004-05-2812:24:05GabrieleJeffReviewready?ENU2004-05-2812:24:05GabrieleJeffE'prontalareview?ITA2004-05-2812:24:05GabrieleSteveReviewready?ENU2004-05-2812:24:05GabrieleSteveE'prontalareview?ITANodeFieldModeInthismode,inputrecordscontainonlytheattributesandvaluesofthedocumentrootnodeorofthenode(s)selectedbytheuser-suppliedroot
Page 389
XPath.
Thismodeisappropriateforsituationsinwhichtheinformationtoberetrievedisassociatedwithaspecificnodetypeonly.Forexample,therelevantinformationinthedocumentdepictedbythefollowingdiagrammightbeassociatedwith"B"nodetypesonly:
Whenusingthe"Node"fieldmode,theXMLinputformatgeneratesaninputrecordforeachrootnode,eitherthedocumentrootorthenode(s)selectedbytheuser-suppliedrootXPath.Eachinputrecordcontainstheattributesandvaluesofthatnodeonly:
Record1 Record2
Forexample,parsingtheprevious"Cities"exampleXMLdocumentin"Node"fieldmodespecifying"/World/Continent/Country"astherootXPathwouldproducethefollowingoutput:
CountryName-----------USACanadaItaliaFieldTypesThedatatypeofeachfieldextractedfromtheschematreeisdetermined
Page 390
inthefollowingway:Ifallthenon-emptyfieldvalues(nodevaluesorattributevalues)encounteredwhileconstructingtheschematreeareformattedasdecimalnumbers,thenthefieldisassumedtobeoftheREALtype.Ifallthenon-emptyfieldvalues(nodevaluesorattributevalues)encounteredwhileconstructingtheschematreeareformattedasintegernumbers,thenthefieldisassumedtobeoftheINTEGERtype.Ifallthenon-emptyfieldvalues(nodevaluesorattributevalues)encounteredwhileconstructingtheschematreeareformattedastimestampsintheformatspecifiedbytheiTsFormatparameter,thenthefieldisassumedtobeoftheTIMESTAMPtype.Otherwise,thefieldisassumedtobeoftheSTRINGtype.
Asanexample,thefollowinghelpcommanddisplaystheinputrecordstructuredeterminedbytheXMLinputformatwhenparsingtheprevious"Cities"exampleXMLdocument:
C:\>LogParser-h-i:XMLCities.xml
Thestructuredisplayedbythishelpcommandwillbe:
Fields:
ContinentName(S)CountryName(S)City(S)Population(I)©2004MicrosoftCorporation.Allrightsreserved.
Page 391
XMLInputFormatParametersTheXMLinputformatsupportsthefollowingparameters:
rootXPath
Values: XPathquery
Default: notspecified
Description: XPathqueryofdocumentnode(s)tobeconsideredrootnode(s).
Details: Thenode(s)selectedbythespecifiedXPathreplacethedocumentrootnodeasthestartingnode(s)fromwhichallthedocumentnodesarevisited.
Note:ThisparameterisignoredforXMLdocumentswhosefilenameorURLhasbeenspecifiedtogetherwithanoptionalXPathinthefrom-entity.
Note:TheXPathspecifiedforthisparameteriscase-sensitive.IfanXPathisspecifiedcontainingnon-existingnodeorattributenames,orcontainingnodeorattributenameswiththewrongcapitalization,norootnodeisselectedandanerrorisreturned.
Example: -rootXPath:/World/Continent/CountryfMode
Values: Branch|Tree|Node|Auto
Default: Auto
Description: Algorithmtousewhenvisitingthedocumentnodes.
Details: Forinformationonthe"Branch","Tree",and"Node"visitalgorithmsseeXMLInputFormatFields.The"Auto"valueinstructstheXMLinputformatto
Page 392
determineautomaticallythebestalgorithmafterinspectingthestructureoftheinputdocument(s).
Example: -fMode:TreeiTsFormat
Values: timestampformat
Default: yyyy-MM-dd?hh:mm:ss
Description: Formatoftimestampvaluesinthedocument.
Details: Thisparameterspecifiesthedateand/ortimeformatusedinthedocumentbeingparsed.ValuesofnodesorattributesmatchingthespecifiedformatarereturnedasvaluesoftheTIMESTAMPdatatype.Formoreinformationondateandtimeformats,seeTimestampFormatSpecifiers.
Example: -iTsFormat:"MMMdd,yyyy"dtNodes
Values: numberofleafnodes(number)
Default: -1
Description: Numberofleafnodestobeexaminedwhendeterminingthedocumentstructure.
Details: Inordertodeterminetheinputdocumentstructure,theXMLinputformatinitiallyexaminesthenodesfoundalongthepathsfromtherootnodeorfromthenode(s)selectedbytheuser-suppliedrootXPathtothefirstnleafnodes,wherenisthevaluespecifiedforthisparameter.Specifying-1causestheXMLinputformattoexamineallthenodesintheinputdocument.
Example: -dtNodes:50
Page 393
fNames
Values: Compact|XPath
Default: Compact
Description: Fieldnamingschema.
Details: Specifying"Compact"causestheXMLinputformattocreatefieldnamesusingthenamesofthecorrespondingnodesorattributes.Ifafieldnameisnotunique,asequentialnumberisappendedtothenametorenderitunique.Examplefieldnamesinthe"Compact"modeare:
ContinentNameCountryNameCityPopulationSpecifying"XPath"causestheXMLinputformattocreatefieldnamesusingtheXPathqueriesforthecorrespondingnodesorattributes.Examplefieldnamesinthe"XPath"modeare:
/World/Continent/@ContinentName/World/Continent/Country/@CountryName/World/Continent/Country/City/World/Continent/Country/City/@Population
Example: -fNames:XPath
©2004MicrosoftCorporation.Allrightsreserved.
Page 394
XMLInputFormatExamplesMSDNBLogsChannelTitlesDisplaytitlesofcurrentchannelsonMSDNBLogs:
LogParser"SELECTtitleFROMhttp://blogs.msdn.com/MainFeed.aspx#/rss/channel/item"-i:XML-fMode:Tree
CheckNamesfromMBSAreportDisplaythechecksinanMBSAreport:
LogParser"SELECTNameFROMMYMACHINE.xml#/SecScan/Check"-fMode:Node
©2004MicrosoftCorporation.Allrightsreserved.
Page 395
OutputFormatsGenericTextFileOutputFormatsNAT:formatsoutputrecordsasreadabletabulatedcolumns.CSV:formatsoutputrecordsascomma-separatedvaluestext.TSV:formatsoutputrecordsastab-separatedorspace-separatedvaluestext.XML:formatsoutputrecordsasXMLdocuments.W3C:formatsoutputrecordsintheW3CExtendedLogFileFormat.TPL:formatsoutputrecordsfollowinguser-definedtemplates.IIS:formatsoutputrecordsintheMicrosoftIISLogFileFormat.
Special-purposeOutputFormatsSQL:uploadsoutputrecordstoatableinaSQLdatabase.SYSLOG:sendsoutputrecordstoaSyslogserver.DATAGRID:displaysoutputrecordsinagraphicaluserinterface.CHART:createsimagefilescontainingcharts.
©2004MicrosoftCorporation.Allrightsreserved.
Page 396
CHARTOutputFormatTheCHARToutputformatcreatesimagefilescontainingchartsoftheoutputrecordfieldvalues.
WhenusingtheCHARToutputformat,outputrecordfieldsmustbeoftheINTEGERorREALdatatypes,inorderfortheirvaluestobeplottedinachart.ThefirstfieldonlycanoptionallybeoftheSTRINGorTIMESTAMPdatatypes,inwhichcaseitsvaluesareusedasthenamesofthecategoriesontheX-axisofthechart.
ThefollowingexamplecommandcreatesachartplottingthenumberofeventsloggedintheSystemEventLogbyeacheventsource.Thefirstfieldintheoutputrecordsofthisqueryisthenameoftheeventsource,andtheCHARToutputformatwilluseitsvaluestolabelthecategoriesalongtheX-axisofthechart.Thesecondfieldintheoutputrecordsisthenumberofevents,whichwillbeplottedonthechart:
LogParser"SELECTSourceName,COUNT(*)AS[NumberofEvents]INTOEvents.gifFROMSystemGROUPBYSourceNameORDERBY[NumberofEvents]DESC"-o:CHART-chartType:Column3DTheresultingchartwilllooklikethefollowingexample:
Page 397
Chartscanalsocontainmultipleseriesplottedfromthevaluesofdifferentoutputrecordfields.Forexample,thefollowingcommandcalculatestheaverage,minimum,andmaximumnumberofbytesservedforeachwebpagetype:
LogParser"SELECTTO_UPPERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,MIN(sc-bytes)ASMinimum,AVG(sc-bytes)ASAverage,MAX(sc-bytes)ASMaximumINTOBytesChart.gifFROM<1>GROUPBYPageTypeORDERBYAverageASC"-o:CHART-chartType:Column3DTheresultingchartwilllooklikethefollowingexample:
Page 398
TheCHARToutputformatrequirestheMicrosoftOfficeWebComponents,whicharegenerallyinstalledwithMicrosoftOffice2000,MicrosoftOfficeXP,andMicrosoftOffice2003.InordertousetheCHARToutputformat,usersmusthaveavalidlicenseofMicrosoftOfficeforthecomputerexecutingtheLogParserquery.
ConfigurationScriptsInto-EntitySyntaxParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 399
CHARTOutputFormatConfigurationScriptsChartscreatedbytheCHARToutputformatcanbecustomizedbyuser-providedscriptsintheJScriptorVBScriptlanguagesthatareexecutedbytheCHARToutputformatpriortogeneratingtheoutputimagefile.
Thesescriptscanrefertotwoglobalobjectswhichexposemethodsandpropertiesthatcanbeusedtomodifyparameterssuchasthechartcolors,thechartfonts,andmanyotherattributes.ThetwoglobalobjectsavailabletoconfigurationscriptsareinstancesofthechartSpaceandchartobjectsoftheMicrosoftOfficeWebComponentsChartSpaceobjectmodel,andtheyarenamed"chartSpace"and"chart",respectively.ForinformationontheOfficeWebComponentsChartSpaceobjectmodel,andonthechartSpaceandchartobjects,visittheMSDNChartSpaceObjectModeldocumentation.
ThefollowingexamplescriptintheJScriptlanguagemanipulatesthechartSpaceandchartobjectstoaddacaptiontothechartandtosetthebackgroundcolortothetransparentcolor:
//AddacaptionchartSpace.HasChartSpaceTitle=true;chartSpace.ChartSpaceTitle.Caption="GeneratedbyLogParser2.2";chartSpace.ChartSpaceTitle.Font.Size=6;chartSpace.ChartSpaceTitle.Position=chartSpace.Constants.chTitlePositionBottom;
//Changethebackgroundcolorchart.PlotArea.Interior.Color=chartSpace.Constants.chColorNone;
ConfigurationscriptsareusedwiththeCHARToutputformatbyspecifyingtheirpathasavaluetotheconfigparameter,asshowninthefollowingexample:
LogParser"SELECTSourceName,COUNT(*)AS[NumberofEvents]INTOEvents.gifFROMSystemGROUPBYSourceNameORDERBY[NumberofEvents]DESC"-o:CHART-chartType:Column3D-config:MyScript.jsTheresultingchartwilllooklikethefollowingexample:
Page 400
©2004MicrosoftCorporation.Allrightsreserved.
Page 401
CHARTOutputFormatInto-EntitySyntax<into-entity> ::= <filename>
The<into-entity>specifiedinqueriesusingtheCHARToutputformatisthepathtotheoutputimagefile.
Examples:
INTOMyChart.gif
INTO\\COMPUTER01\Charts\Chart02.jpg
©2004MicrosoftCorporation.Allrightsreserved.
Page 402
CHARTOutputFormatParametersTheCHARToutputformatsupportsthefollowingparameters:
chartType
Values: nameofcharttype
Default: Line
Description: Charttype.
Details: ThesetofavailablecharttypesdependsontheversionoftheMicrosoftOfficeWebComponentsinstalledonthelocalcomputer.Foralistoftheavailablecharttypes,typethefollowinghelpcommandfromthecommand-lineshell:
LogParser-h-o:CHART
Example: -chartType:Pie3Dcategories
Values: ON|OFF|AUTO
Default: AUTO
Description: Displaycategorylabelsalongthecategoryaxis.
Details: Whenthisparameterissetto"ON",theCHARToutputformatusesthevaluesofthefirstoutputrecordfieldtodisplaycategorylabelsalongthecategoryaxis.Settingthisparameterto"AUTO"causestheCHARToutputformattodisplaycategorylabelsonlywhenthefirstoutputrecordfieldisoftheSTRINGorTIMESTAMPdatatypes.Settingthisparameterto"OFF"preventstheCHARToutputformatfromdisplayingcategorylabels.
Page 403
Example: -categories:ONmaxCategoryLabels
Values: number
Default: 0
Description: Maximumnumberofcategorylabelsdisplayedalongthecategoryaxis.
Details: Thisparameterisusedtolimitthenumberofcategorylabelsdisplayedalongthecategoryaxis,inordertopreventclutterintheoutputimage.Whenthisparameterissetto"0",theCHARToutputformatcalculatesthemaximumnumberofcategorylabelstodisplayasafunctionofthedimensionsofthetargetimage.Settingthisparameterto"-1"causesthenumberofcategorylabelsdisplayedalongthecategoryaxistobeunlimited.
Example: -maxCategoryLabels:20legend
Values: ON|OFF|AUTO
Default: AUTO
Description: Displayalegenddescribingtheseries.
Details: Whenthisparameterissetto"ON",theCHARToutputformatdisplaysalegendonthechartthatdescribestheseriesbeingplotted.Settingthisparameterto"AUTO"causestheCHARToutputformattodisplayalegendonlywhen2ormoreseriesarebeingplotted.Settingthisparameterto"OFF"preventstheCHARToutputformatfromdisplayingalegend.
Example:
Page 404
-legend:ONvalues
Values: ON|OFF|AUTO
Default: AUTO
Description: Displayvaluelabels.
Details: Whenthisparameterissetto"ON",theCHARToutputformatdisplaysalabelalongeachvaluebeingplotted,showingitsnumericvalue.Settingthisparameterto"AUTO"causestheCHARToutputformattodisplayvaluelabelsdependingonthetypeofchartselected.Settingthisparameterto"OFF"preventstheCHARToutputformatfromdisplayingvaluelabels.
Example: -values:ONgroupSize
Values: widthxheight
Default: 640x480
Description: Dimensionsofthetargetimage,inpixels.
Details: Thisparameterspecifiesthewidthandheightofthetargetimage,inpixels.
Example: -groupSize:400x260fileType
Values: GIF|JPG|AUTO
Default: AUTO
Description: Formatoftheoutputimagefile.
Page 405
Details: Whenthisparameterissetto"AUTO",theCHARToutputformatdeterminestheoutputimagefileformatbyinspectingtheextensionofthefilespecifiedfortheinto-entity.
Example: -fileType:JPGconfig
Values: comma-separatedlistoffilepaths
Default: notspecified
Description: Configurationscriptstouseforchartcustomization.
Details: Thisparameterspecifiesacomma-separatedlistofscriptsintheJScriptorVBScriptlanguagesthatcanbeusedtofurthercustomizethechartgeneratedbytheCHARToutputformat.Formoreinformationonconfigurationscripts,seeCHARTOutputFormatConfigurationScripts.
Example: -config:C:\MyScripts\MyConfig1.js,C:\MyScripts\MyConfig2.vbs
chartTitle
Values: charttitle
Default: Auto
Description: Titleofthechart.
Details: Whenthisparameterissetto"Auto"andtheoutputrecordscontain1seriesonly,theCHARToutputformatusestheseries'fieldnameasthetitleofthechart.
Example: -chartTitle:"BytesPerPage"oTsFormat
Values: timestampformat
Page 406
Default: yyyy-MM-ddhh:mm:ss
Description: Formatoftimestampvaluesinthecategorylabels.
Details: Thisparameterspecifiesthedateand/ortimeformattousewhenformattingvaluesoftheTIMESTAMPdatatypetogeneratecategorylabels.Formoreinformationondateandtimeformats,seeTimestampFormatSpecifiers.
Example: -oTsFormat:"MMMdd,yyyy"view
Values: ON|OFF
Default: OFF
Description: Displaychartimage.
Details: Settingthisparameterto"ON"causestheCHARToutputformattoopenawindowdisplayingthegeneratedoutputimagefile.
Example: -view:ON
©2004MicrosoftCorporation.Allrightsreserved.
Page 407
CHARTOutputFormatExamplesTop20URL'sCreateachartcontainingtheTOP20URL'sinthe"www.margiestravel.com"website:
LogParser"SELECTTOP20cs-uri-stem,COUNT(*)ASHitsINTOMyChart.gifFROM<www.margiestravel.com>GROUPBYcs-uri-stemORDERBYHitsDESC"-chartType:Column3D-groupSize:1024x768
BytesperPageTypeCreateapiechartwiththedistributionofbytesservedforeachpagetype:
LogParser"SELECTTO_UPPERCASE(EXTRACT_EXTENSION(cs-uri-stem))ASPageType,MUL(PROPSUM(sc-bytes),100.0)ASBytesINTOPie.gifFROM<1>GROUPBYPageTypeORDERBYBytesDESC"-chartType:PieExploded-chartTitle:"Bytesperpagetype"-categories:off©2004MicrosoftCorporation.Allrightsreserved.
Page 408
CSVOutputFormatTheCSVoutputformatwritesoutputrecordsascomma-separatedvaluestext.
TheoutputoftheCSVoutputformatconsistsofmultiplelinesoftext,onelineforeachoutputrecord.Eachlinecontainsthevaluesoftheoutputrecordfields,separatedbyacomma(,)character.DependingonthevalueoftheoDQuotesparameter,fieldvaluescanbeenclosedwithindouble-quotecharacters(").Ifenabledthroughtheheadersparameter,thefirstlineintheoutputisa"header"thatcontainsthenamesofthefields.
ThefollowingsampleshowstheoutputoftheCSVoutputformatwhenusingthedefaultvaluesforitsparameters:
EventID,SourceName,EventType,TimeGenerated6009,EventLog,4,2004-04-1818:48:046005,EventLog,4,2004-04-1818:48:047024,ServiceControlManager,1,2004-04-1818:48:277035,ServiceControlManager,4,2004-04-1818:48:277035,ServiceControlManager,4,2004-04-1818:48:277036,ServiceControlManager,4,2004-04-1818:48:277036,ServiceControlManager,4,2004-04-1818:48:277035,ServiceControlManager,4,2004-04-1818:48:277036,ServiceControlManager,4,2004-04-1818:48:277035,ServiceControlManager,4,2004-04-1818:48:277036,ServiceControlManager,4,2004-04-1818:48:277035,ServiceControlManager,4,2004-04-1818:48:277036,ServiceControlManager,4,2004-04-1818:48:277035,ServiceControlManager,4,2004-04-1818:48:277036,ServiceControlManager,4,2004-04-1818:48:277036,ServiceControlManager,4,2004-04-1818:48:277035,ServiceControlManager,4,2004-04-1818:48:367036,ServiceControlManager,4,2004-04-1818:51:267036,ServiceControlManager,4,2004-04-1818:51:29
FilescreatedwiththeCSVoutputformataresuitabletobeconsumedbyalargenumberofapplicationsthathandleCSVtextfiles,includingMicrosoftExcelandgenericspreadsheetapplications.
Into-EntitySyntaxParametersExamples
Seealso:TSVOutputFormatCSVInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 409
6006,EventLog,4,2004-04-1818:51:37
Page 410
CSVOutputFormatInto-EntitySyntax<into-entity> ::= <filename>|
STDOUT
The<into-entity>specifiedinqueriesusingtheCSVoutputformatiseither:
Afilename;The"STDOUT"keyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput).
Thedefaultinto-entityforqueriesthatdonotspecifyanINTOclauseis"STDOUT".
TheCSVoutputformatsupportsthemultiplexfeature,whichcanbeenabledbyspecifying'*'wildcardsintheinto-entityfilename.Thisfeatureallowsoutputrecordstobewrittentodifferentfilesdependingonthevaluesoftheirfields.Formoreinformationonthemultiplexfeature,seeMultiplexingOutputRecords.
Examples:
INTOreport.csv
INTO\\COMPUTER01\Reports\report.csv
INTOSTDOUT
INTOReports_*_*\Report*.csv
©2004MicrosoftCorporation.Allrightsreserved.
Page 411
CSVOutputFormatParametersTheCSVoutputformatsupportsthefollowingparameters:
headers
Values: ON|OFF|AUTO
Default: AUTO
Description: Writeaheaderlinecontainingthefieldnames.
Details: ThisparametercontrolstheCSVheaderlinethatisoutputatthebeginningofeachfile.Thepossiblevaluesforthisparameterare:ON:alwayswritetheheader;OFF:neverwritetheheader;AUTO:writetheheaderonlywhennotappendingtoanexistingfile.
Example: -headers:OFFoDQuotes
Values: ON|OFF|AUTO
Default: AUTO
Description: Enclosefieldvalueswithindouble-quotecharacters(").
Details: ThisparametercontrolswhetherornottheCSVoutputformatshouldenclosefieldvalueswithindouble-quotecharacters(").Thepossiblevaluesforthisparameterare:ON:alwaysenclosefieldvalueswithindouble-quotecharacters;OFF:neverenclosefieldvalueswithindouble-quotecharacters;
Page 412
AUTO:enclosewithindouble-quotecharactersonlythosefieldvaluesthatcontaincomma(,)characters.
Example: -oDQuotes:ONtabs
Values: ON|OFF
Default: OFF
Description: Writeatabcharacteraftereachcommaseparator.
Details: Settingthisparameterto"ON"causestheCSVoutputformattowriteatabcharacteraftereachcommafieldseparator,inordertoimprovereadabilityoftheCSVoutput.Notethatusingtabsbetweenfieldvaluesmightgenerateoutputthatisnotcompatiblewithcertainspreadsheetapplications.
Example: -tabs:ONoTsFormat
Values: timestampformat
Default: yyyy-MM-ddhh:mm:ss
Description: FormatoftimestampvaluesintheoutputCSVdata.
Details: Thisparameterspecifiesthedateand/ortimeformattousewhenformattingvaluesoftheTIMESTAMPdatatype.Formoreinformationondateandtimeformats,seeTimestampFormatSpecifiers.
Example: -oTsFormat:"MMMdd,yyyy"
Page 413
oCodepage
Values: codepageID(number)
Default: 0
Description: Codepageoftheoutputtext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245fileMode
Values: 0|1|2
Default: 1
Description: Actiontoperformwhenanoutputfilealreadyexists.
Details: ThisparametercontrolsthebehavioroftheCSVoutputformatwhentheinto-entityspecifiesdirectlyorindirectlythroughthe"multiplex"featurethenameofafilethatalreadyexists.Thepossiblevaluesforthisparameterare:0:existingfilesareappendedwiththeoutput;1:existingfilesareoverwrittenwiththeoutput;2:existingfilesareleftintact,discardingtheoutput.
Example: -fileMode:0
©2004MicrosoftCorporation.Allrightsreserved.
Page 414
CSVOutputFormatExamplesFileInformationCreateaCSVfilecontaininginformationonthefilescontainedinthespecifieddirectory:
LogParser"SELECTPath,Name,Size,AttributesINTOFiles.csvFROMC:\Test\*.*"-i:FS-o:CSV-recurse:0
SecurityEventsRetrievethe10latesteventsfromtheSecurityeventlogandwritetheirinformationtoaCSVfileforeacheventID:
LogParser"SELECTTOP10EventID,EventTypeName,MessageINTOEvents_*.csvFROMSecurity"-i:EVT-direction:BW-o:CSV
©2004MicrosoftCorporation.Allrightsreserved.
Page 415
DATAGRIDOutputFormatTheDATAGRIDoutputformatdisplaysoutputrecordsinagraphicaluserinterface.
Outputrecordsaredisplayedinascrollablegridthatallowsuserstobrowsethroughthequeryresults.IndividualoutputrecordscanbeselectedandcopiedtotheclipboardasCSV-formatteddatathatcanbepastedintoanotherapplication.
ThefollowingscreenshotshowstheDATAGRIDwindowdisplayingtheresultsofaquery:
ControlsintheDATAGRIDuserinterfaceallowuserstoresizethewindowandtheindividualoutputrecordcolumns,andtochangethepropertiesofthefontusedtodisplaythedata.
Into-EntitySyntaxParametersExamples
Seealso:NATOutputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 416
DATAGRIDOutputFormatInto-EntitySyntax<into-entity> ::= DATAGRID
QueriesusingtheDATAGRIDoutputformatarenotrequiredtospecifyanINTOclause.IfanINTOclauseisused,its<into-entity>mustbespecifiedas"DATAGRID".
Usingthe"DATAGRID"keywordinthe<into-entity>allowsLogParsertoselecttheDATAGRIDoutputformatautomaticallywhennooutputformatisexplicitlyspecified.
Examples:
INTODATAGRID
©2004MicrosoftCorporation.Allrightsreserved.
Page 417
DATAGRIDOutputFormatParametersTheDATAGRIDoutputformatsupportsthefollowingparameters:
rtp
Values: numberofrows
Default: 10
Description: Rowstoprintbeforepausing.
Details: TheDATAGRIDoutputformatdisplaysoutputrecordsinbatchesmadeupofanumberofrowsequaltothevaluespecifiedforthisparameter.Onceabatchofrowshasbeendisplayed,the"Nextnrows"buttonisenabled,andtheDATAGRIDoutputformatwaitsfortheusertopressthebuttonbeforedisplayingthenextbatchofrows.Specifying"-1"forthisparameterdisablesbatchingaltogether.
Example: -rtp:-1autoScroll
Values: ON|OFF
Default: ON
Description: Automaticallyscrollwindowwhennewrowsareoutput.
Details: Whenthisparameterissetto"ON",theDATAGRIDwindowscrollsdownautomaticallywhenevernewoutputrecordsaredisplayed,inordertopositionthedisplaygridoverthelatestoutputrecords.Settingthisparameterto"OFF"causesthegridpositiontoremainunalteredwhennewoutputrecordsaredisplayed.ThisparameterisalsoaccessiblefromtheViewmenu
Page 418
intheDATAGRIDwindow.
Example: -autoScroll:OFF
©2004MicrosoftCorporation.Allrightsreserved.
Page 419
DATAGRIDOutputFormatExamplesUsers'JobTitlesRetrieveusers'jobtitlebreakdownfromActiveDirectory:
LogParser"SELECTtitle,MUL(PROPCOUNT(*),100.0)ASPercentageINTODATAGRIDFROM'LDAP://MyUsername:MyPassword@mydomain/CN=Users,DC=mydomain,DC=com'WHEREtitleISNOTNULLGROUPBYtitleORDERBYPercentageDESC"-objClass:UserRegistryTypeDistributionDisplaythedistributionofregistryvaluetypes:
LogParser"SELECTValueType,COUNT(*)FROM\HKLMGROUPBYValueType"-o:DATAGRID
©2004MicrosoftCorporation.Allrightsreserved.
Page 420
IISOutputFormatTheIISoutputformatwritesoutputrecordsintheMicrosoftIISLogFileFormat.
ThefollowingexampleshowsasampleoutputfilegeneratedbytheIISoutputformat:
192.168.1.1,-,11/18/2003,0:28:33,-,-,192.168.1.100,15,194,345,304,-,GET,/Default.htm,-,192.168.1.1,-,11/18/2003,0:28:33,-,-,192.168.1.100,0,139,323,304,-,GET,/style.css,-,192.168.1.1,-,11/18/2003,0:28:33,-,-,192.168.1.100,0,139,334,304,-,GET,/images/address.gif,-,192.168.1.1,-,11/18/2003,0:28:33,-,-,192.168.1.100,31,2285,273,200,-,GET,/cgi-bin/counts.exe,test=npa&style;=14,192.168.1.2,-,11/18/2003,0:28:42,-,-,192.168.1.100,1828,666,442,200,-,GET,/home/rules.htm,-,192.168.1.2,-,11/18/2003,0:28:42,-,-,192.168.1.100,47,2018,463,200,-,GET,/home/rules.htm,-,192.168.1.2,-,11/18/2003,0:28:42,-,-,192.168.1.100,62,8903,308,200,-,GET,/home/rules.htm,-,
Into-EntitySyntaxParametersExamples
Seealso:IISInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 421
IISOutputFormatInto-EntitySyntax<into-entity> ::= <filename>|
STDOUT
The<into-entity>specifiedinqueriesusingtheIISoutputformatiseither:
Afilename;The"STDOUT"keyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput).
Thedefaultinto-entityforqueriesthatdonotspecifyanINTOclauseis"STDOUT".
TheIISoutputformatsupportsthemultiplexfeature,whichcanbeenabledbyspecifying'*'wildcardsintheinto-entityfilename.Thisfeatureallowsoutputrecordstobewrittentodifferentfilesdependingonthevaluesoftheirfields.Formoreinformationonthemultiplexfeature,seeMultiplexingOutputRecords.
Examples:
INTOinetsv1.log
INTO\\COMPUTER01\Logs\in040528.log
INTOSTDOUT
INTOLogs_*_*\in*.log
©2004MicrosoftCorporation.Allrightsreserved.
Page 422
IISOutputFormatParametersTheIISoutputformatsupportsthefollowingparameters:
rtp
Values: numberofrows
Default: 10
Description: Rowstoprintbeforepausing.
Details: WhenwritingtoSTDOUT,theIISoutputformatdisplaysoutputrecordsinbatchesmadeupofanumberofrowsequaltothevaluespecifiedforthisparameter.Onceabatchofrowshasbeendisplayed,theIISoutputformatpromptstheusertopressakeytodisplaythenextbatchofrows.Specifying"-1"forthisparameterdisablesbatchingaltogether.
Example: -rtp:-1oCodepage
Values: codepageID(number)
Default: 0
Description: Codepageoftheoutputtext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245fileMode
Values: 0|1|2
Default: 1
Page 423
Description: Actiontoperformwhenanoutputfilealreadyexists.
Details: ThisparametercontrolsthebehavioroftheIISoutputformatwhentheinto-entityspecifiesdirectlyorindirectlythroughthe"multiplex"featurethenameofafilethatalreadyexists.Thepossiblevaluesforthisparameterare:0:existingfilesareappendedwiththeoutput;1:existingfilesareoverwrittenwiththeoutput;2:existingfilesareleftintact,discardingtheoutput.
Example: -fileMode:0
©2004MicrosoftCorporation.Allrightsreserved.
Page 424
IISOutputFormatExamplesW3CtoIISConversionConvertthespecifiedW3ClogfiletoanIISlogfile:
LogParser"SELECTc-ip,cs-username,TO_DATE(TO_LOCALTIME(TO_TIMESTAMP(date,time))),TO_TIME(TO_LOCALTIME(TO_TIMESTAMP(date,time))),s-sitename,s-computername,s-ip,time-taken,sc-bytes,cs-bytes,sc-status,sc-win32-status,cs-method,cs-uri-stem,cs-uri-queryINTOinetsv1.logFROMextend1.log"-i:IISW3C-o:IIS©2004MicrosoftCorporation.Allrightsreserved.
Page 425
NATOutputFormatTheNAToutputformatwritesoutputrecordsinareadabletabulatedcolumnformat.
TheprimaryintendeduseoftheNAToutputformatistodisplayoutputrecordstotheconsoleoutput.ThisisthedefaultoutputformatselectedbyLogParserwhenacommanddoesnotexplicitlyspecifyanoutputformatandthequerydoesnotspecifyanINTOclause.
ThefollowingexampleshowsasampleoutputgeneratedbytheNAToutputformat:
TimeGeneratedSourceNameEventID-------------------------------------------------2004-04-1818:48:04EventLog60092004-04-1818:48:04EventLog60052004-04-1818:48:27ServiceControlManager70242004-04-1818:48:27ServiceControlManager70352004-04-1818:48:27ServiceControlManager70352004-04-1818:48:27ServiceControlManager70362004-04-1818:48:27ServiceControlManager70362004-04-1818:48:27ServiceControlManager70352004-04-1818:48:27ServiceControlManager70362004-04-1818:48:27ServiceControlManager7035
Into-EntitySyntaxParametersExamples
Seealso:DATAGRIDOutputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 426
NATOutputFormatInto-EntitySyntax<into-entity> ::= <filename>|
STDOUT
The<into-entity>specifiedinqueriesusingtheNAToutputformatiseither:
Afilename;The"STDOUT"keyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput).
Thedefaultinto-entityforqueriesthatdonotspecifyanINTOclauseis"STDOUT".
TheNAToutputformatsupportsthemultiplexfeature,whichcanbeenabledbyspecifying'*'wildcardsintheinto-entityfilename.Thisfeatureallowsoutputrecordstobewrittentodifferentfilesdependingonthevaluesoftheirfields.Formoreinformationonthemultiplexfeature,seeMultiplexingOutputRecords.
Examples:
INTOreport.txt
INTO\\COMPUTER01\Reports\report.txt
INTOSTDOUT
INTOReports_*_*\Report*.txt
©2004MicrosoftCorporation.Allrightsreserved.
Page 427
NATOutputFormatParametersTheNAToutputformatsupportsthefollowingparameters:
rtp
Values: numberofrows
Default: 10
Description: Rowstoprintbeforepausing.
Details: WhenwritingtoSTDOUT,theNAToutputformatdisplaysoutputrecordsinbatchesmadeupofanumberofrowsequaltothevaluespecifiedforthisparameter.Onceabatchofrowshasbeendisplayed,theNAToutputformatpromptstheusertopressakeytodisplaythenextbatchofrows.Specifying"-1"forthisparameterdisablesbatchingaltogether.
Example: -rtp:-1headers
Values: ON|OFF
Default: ON
Description: Printcolumnheaders.
Details: Thisparameterenablesordisablesthecolumnheadersdisplayedbeforeeachbatchofoutputrows.
Example: -headers:OFFspaceCol
Values: ON|OFF
Default: ON
Page 428
Description: Spacecolumnsuniformly.
Details: Whenthisparameterissetto"ON",theNAToutputformatpadsvalueswithenoughspacecharacterstocreatecolumnshavingauniformwidthwithineachbatchofoutputrows.Whenthisparameterissetto"OFF",theNAToutputformatdisplaysunalignedvaluesseparatedbyasinglespacecharacter.
Example: -spaceCol:OFFrAlign
Values: ON|OFF
Default: OFF
Description: Aligncolumnstotheright.
Details: Whenthisparameterissetto"ON",theNAToutputformatalignsvaluestotherightsideofeachcolumn.Whenthisparameterissetto"OFF",valuesarealignedtotheleftsideofeachcolumn.
Example: -rAlign:ONcolSep
Values: anystring
Default: singlespacecharacter
Description: Columnseparator.
Details: Thisparameterspecifiestheseparatortobeusedbetweenthecolumns.
Example: -colSep:","
Page 429
direct
Values: ON|OFF
Default: OFF
Description: Enable"directmode".
Details: When"directmode"isenabled,theNAToutputformatdisplaysoutputrecordsastheyaremadeavailable,disablingtheinternalbufferingmechanismusedforcolumnspacingandoutputrowbatching.In"directmode"columnsarenotuniformlyspaced,headersareprintedonlyatthebeginningoftheoutput,andoutputrecordsaredisplayedwithoutinterruption.
Example: -direct:ONoCodepage
Values: codepageID(number)
Default: 0
Description: Codepageoftheoutputtext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245fileMode
Values: 0|1|2
Default: 1
Description: Actiontoperformwhenanoutputfilealreadyexists.
Details: ThisparametercontrolsthebehavioroftheNAToutputformatwhentheinto-entityspecifiesdirectlyorindirectlythroughthe"multiplex"featurethenameofafilethatalreadyexists.
Page 430
Thepossiblevaluesforthisparameterare:0:existingfilesareappendedwiththeoutput;1:existingfilesareoverwrittenwiththeoutput;2:existingfilesareleftintact,discardingtheoutput.
Example: -fileMode:0
©2004MicrosoftCorporation.Allrightsreserved.
Page 431
NATOutputFormatExamplesTenLargestFilesPrintthe10largestfilesontheC:drive:
LogParser"SELECTTOP10*FROMC:\*.*ORDERBYSizeDESC"-i:FS
©2004MicrosoftCorporation.Allrightsreserved.
Page 432
SQLOutputFormatTheSQLoutputformatuploadsoutputrecordstoatableinaSQLdatabase.
ThisoutputformatcanuploadrecordstoatableinanyODBC-compliantdatabase,includingMicrosoftSQLServerandMicrosoftAccessdatabases.
Whenthetargettabledoesnotalreadyexistinthespecifieddatabase,theSQLoutputformatcreatesatablewithasmanycolumnsasthenumberoffieldsintheSELECTclauseofthequery.Inthiscase,theSQLtypeofeachcolumnisdeterminedbythedatatypeofthecorrespondingoutputrecordfield,asdescribedinColumnTypeMappings.
Ifthetargettablealreadyexists,thenumberofcolumnsinthetablemustmatchexactlythenumberoffieldsintheSELECTclauseofthequery,andtheSQLtypeofeachcolumnmustbecompatiblewiththedatatypeoftheoutputrecordfieldinthesameposition,asdescribedinColumnTypeMappings.
ColumnTypeMappingsInto-EntitySyntaxParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 433
SQLOutputFormatColumnTypeMappingsThefollowingtableshowsthemappingsbetweenthedatatypesofthequeryoutputrecordfieldsandtheSQLtypesofthecolumnsinthetargettable.
Thecolumnlabeled"NewTable"showstheSQLtypesdeclaredforthetablecolumnswhentheSQLoutputformatcreatesthetable.Thecolumnlabeled"ExistingTable"showstheSQLtypesthatarecompatiblewiththecorrespondingLogParserdatatypewhentheSQLoutputformatuploadsrecordstoanexistingtable.
LogParserDataType NewTable ExistingTable
INTEGER int int,bigint,smallint,tinyint,bit1
REAL real real,decimal,float
STRING varchar(n2) varchar(n),nvarchar(n),charTIMESTAMP datetime datetime,smalldatetime,date,timeNULL varchar anytype
Notes:(1):whenuploadingtoafieldofthebittype,thetargetvalueissettotruewhentheINTEGERvalueisdifferentthanzero,andtofalsewhenthevalueisNULLorzero.
(2):themaximumlengthofnewfieldsofthevarchartypecanbecontrolledthroughthemaxStrFieldLenparameter.
©2004MicrosoftCorporation.Allrightsreserved.
Page 434
SQLOutputFormatInto-EntitySyntax<into-entity> ::= <table_name>
The<into-entity>specifiedinqueriesusingtheSQLoutputformatisthenameofthetablewheretheresultsaretobeuploadedto.
Ifthespecifiedtabledoesnotalreadyexist,theSQLoutputformatcreatesatablewithasmanycolumnsasthenumberoffieldsintheSELECTclauseofthequery.Inthiscase,theSQLtypeofeachcolumnisdeterminedbythedatatypeofthecorrespondingoutputrecordfield,asdescribedinColumnTypeMappings.Ifthespecifiedtablealreadyexists,thenumberofcolumnsinthetablemustmatchexactlythenumberoffieldsintheSELECTclauseofthequery,andtheSQLtypeofeachcolumnmustbecompatiblewiththedatatypeoftheoutputrecordfieldinthesameposition,asdescribedinColumnTypeMappings.
Examples:
INTOReportTable
©2004MicrosoftCorporation.Allrightsreserved.
Page 435
SQLOutputFormatParametersTheSQLoutputformatsupportsthefollowingparameters:
server
Values: servername
Default: .
Description: Nameofthedatabaseserver.
Details: Settingavalueforthe"oConnString"parametercausesthisparametertobeignored.
Example: -server:SQLREPORTSdatabase
Values: databasename
Default: notspecified
Description: Nameofthetargetdatabase.
Details: Settingavalueforthe"oConnString"parametercausesthisparametertobeignored.
Example: -database:LogParserLogsdriver
Values: ODBCdrivername
Default: SQLServer
Description: NameoftheODBCdrivertouse.
Details: Settingavalueforthe"oConnString"parametercausesthisparametertobeignored.
Example: -driver:"MicrosoftAccessDriver(*.mdb)"
Page 436
dsn
Values: DSNname
Default: notspecified
Description: NameoftheDSNtouse.
Details: ThisparametercanbeusedtospecifyaDataSourceNamethatcontainsinformationabouttheconnectiontothetargetdatabase.Settingavalueforthe"oConnString"parametercausesthisparametertobeignored.
Example: -dsn:"MyDSN"username
Values: SQLusername
Default: notspecified
Description: Databaseusername.
Details: Whenthisparameterisnotspecified,theSQLoutputformatusesthecurrentuser'scredentialsthroughWindowsIntegratedAuthentication.Settingavalueforthe"oConnString"parametercausesthisparametertobeignored.
Note:Forsecurityreasons,valuesspecifiedforthisparameterarenotpersistedwhenusingtheLogParsercommand-lineDefaultsOverrideMode.
Example: -username:MyDBUserpassword
Values: SQLpassword
Default: notspecified
Page 437
Description: Databaseuserpassword.
Details: Settingavalueforthe"oConnString"parametercausesthisparametertobeignored.
Note:Forsecurityreasons,valuesspecifiedforthisparameterarenotpersistedwhenusingtheLogParsercommand-lineDefaultsOverrideMode.
Example: -password:MyPasswordoConnString
Values: connectionstring
Default: notspecified
Description: ODBCconnectionstringcontainingtheparametersfortheconnectiontothedatabase.
Details: SettingavalueforthisparametercausestheSQLoutputformattoignoreanyvaluesetforthe"server","database","driver","dsn","username",and"password"parameters.TheSQLoutputformatdoesnotenforceanysyntaxontheconnectionstring.ThevaluespecifiedforthisparameterishandeddirectlytotheODBCsubsystemwheninitiatingtheconnectiontothedatabase.
Note:Forsecurityreasons,valuesspecifiedforthisparameterthatcontainausernameand/orapasswordarenotpersistedwhenusingtheLogParsercommand-lineDefaultsOverrideMode.
Example: -oConnString:"Driver={SQLServer};Server=MyServer;db=pubs;uid=sa;pwd=MyPassword"
createTable
Values: ON|OFF
Default: OFF
Page 438
Description: Createanewtablewhenthetablespecifiedintheinto-entitydoesnotexist.
Details: Whenthisparameterissetto"ON"andthetargettabledoesnotalreadyexistinthespecifieddatabase,theSQLoutputformatcreatesatablewithasmanycolumnsasthenumberoffieldsintheSELECTclauseofthequery.Inthiscase,theSQLtypeofeachcolumnisdeterminedbythedatatypeofthecorrespondingoutputrecordfield,asdescribedinColumnTypeMappings.Whenthisparameterissetto"OFF"andthetargettabledoesnotalreadyexistinthespecifieddatabase,theSQLoutputformatgeneratesanerror,causingthecurrentlyexecutingquerytoabort.
Example: -createTable:ONclearTable
Values: ON|OFF
Default: OFF
Description: Clearexistingtablebeforeinsertingnewrows.
Details: Settingthisparameterto"ON"causestheSQLoutputformattodeleteexistingrowsinthetargettablebeforeinsertingthequeryoutputrecords.
Example: -clearTable:ONfixColNames
Values: ON|OFF
Default: ON
Description: Automaticallyremoveinvalidcharactersfromcolumnnameswhencreatingthetargettable.
Details: Whenthe"createTable"parameterissetto"ON"andthe
Page 439
targettabledoesnotalreadyexistinthespecifieddatabase,theSQLoutputformatcreatesthetablenamingitscolumnswiththenamesofthequeryoutputrecordfields.Whenthisparameterissetto"ON",theSQLoutputformatprocessesthefieldnamesandremovesorsubstitutesthosecharactersthatareconsideredillegalbymostdatabases,includingspacecharacters,parenthesyscharacters,anddash(-)characters.
Example: -fixColNames:OFFmaxStrFieldLen
Values: numberofcharacters
Default: 255
Description: Maximumnumberofcharactersdeclaredforstringcolumnswhencreatingatable.
Details: Whenthe"createTable"parameterissetto"ON"andthetargettabledoesnotalreadyexistinthespecifieddatabase,theSQLoutputformatcreatesthetabledeterminingtheSQLtypeofeachcolumnfromthedatatypeofthecorrespondingoutputrecordfield,asdescribedinColumnTypeMappings.ColumnscorrespondingtooutputrecordfieldsoftheSTRINGdatatypearedeclaredasSQLstringshavingamaximumlengthequaltothevaluespecifiedforthisparameter.
Example: -maxStrFieldLen:511transactionRowCount
Values: numberofrows
Default: 0
Description: NumberofrowsenclosedinaSQLtransaction.
Page 440
Details: Whenthisparameterissetto"0",theSQLoutputformatworksin"autocommit"mode,whereeachsingleoutputrecorduploadedtothetargettableisautomaticallycommitted.Whenthisparameterissetto"-1",theSQLoutputformatinitiatesaSQLtransactionwhenuploadingthefirstoutputrecord,andcommitsorrollbacksthetransactionafteruploadingthelastrecordorwhenanerrorcausesthequeryexecutiontoabort.SettingthisparametertoanyothervaluecausestheSQLoutputformattocreatemultipleSQLtransactions,eachcontaininganumberofrecordsequaltothespecifiedvalue.
Example: -transactionRowCount:200ignoreMinWarns
Values: ON|OFF
Default: ON
Description: Ignoreminorwarnings.
Details: Whenthisparameterissetto"ON",theSQLoutputformatignoresminorwarningsthatmightoccurwhileuploadingrecordstothetargettable,includingdatatruncationwarningsandinvalidescapecharactererrors.Whenthisparameterissetto"OFF",allminorwarningsarereportedaswarningswhenthequeryexecutioniscomplete.
Example: -ignoreMinWarns:OFFignoreIdCols
Values: ON|OFF
Default: OFF
Page 441
Description: Ignore"identity"columnsinthetargettable.
Details: Whenthisparameterissetto"OFF"andthetargettablespecifiedintheinto-entityalreadyexists,theSQLoutputformatexpectsa1-to-1matchbetweenthecolumnsinthetargettableandthefieldsinthequeryoutputrecords,regardlessofwhetherornotanycolumninthetargettableisan"identity"column.Inthiscase,thevaluesoftheoutputrecordfieldswillbeuploadedtoallthecolumnsinthetable,includingeventual"identity"columns.Whenthisparameterissetto"ON"andthetargettablespecifiedintheinto-entityalreadyexists,theSQLoutputformatignores"identity"columnsinthetargettable,checkingfora1-to-1matchonlybetweenthenon-identitycolumnsandthefieldsinthequeryoutputrecords,anduploadingoutputrecordfieldvaluestonon-identitycolumnsonly.
Example: -ignoreIdCols:ON
©2004MicrosoftCorporation.Allrightsreserved.
Page 442
SQLOutputFormatExamplesUploadRegistryValuestoaSQLtableUploadaportionoftheregistryintoanewly-createdSQLtable:
LogParser"SELECTPath,KeyName,ValuleNameINTOMyTableFROM\HKLM"-i:REG-o:SQL-server:MyServer-database:MyDatabase-driver:"SQLServer"-username:TestSQLUser-password:TestSQLPassword-createTable:ONUploadIISW3ClogfilestoanAccessdatabaseUploadselectedfieldsofanIISW3ClogfileintoanexistingtableinMicrosoftAccess:
LogParser"SELECTTO_TIMESTAMP(date,time),c-ip,cs-uri-stem,sc-statusINTOMyTableFROMextend1.log"-i:IISW3C-o:SQL-oConnString:"Driver={MicrosoftAccessDriver(*.mdb)};Dbq=C:\MyDB\MyDB.mdb;Uid=MyUsername;Pwd=MyPassword"©2004MicrosoftCorporation.Allrightsreserved.
Page 443
SYSLOGOutputFormatTheSYSLOGoutputformatcanbeusedtosendmessagestoaSyslogserver,tocreatetextfilescontainingSyslogmessages,andtosendSyslogmessagestousers.
TheSYSLOGoutputformatgeneratesmessagesformattedaccordingtotheSyslogspecificationsdescribedinRFC3164.Syslogmessagesconsistofsixparts,andtheSYSLOGoutputformatprovidesparametersthatallowuserstoassignconstantsoroutputrecordfieldstothedifferentpartsofamessage.
ThefollowingexampleshowsSyslogmessagescontaininginformationgatheredfromtheSystemeventlog:
<46>Apr1818:48:04MYSERVER-MLogParser:EventLog:TheEventlogservicewasstarted.<30>Apr1818:48:27MYSERVER-MLogParser:ServiceControlManager:TheTelephonyserviceenteredtherunningstate.<46>Apr1818:51:37MYSERVER-MLogParser:EventLog:TheEventlogservicewasstopped.<134>Apr1819:20:23MYSERVER-MLogParser:AtiHotKeyPoller:Theservicewasstarted.<46>Apr1819:20:07MYSERVER-MLogParser:EventLog:TheEventlogservicewasstarted.<30>Apr1819:20:47MYSERVER-MLogParser:ServiceControlManager:TheTelephonyserviceenteredtherunningstate.<46>Apr1819:33:17MYSERVER-MLogParser:EventLog:TheEventlogservicewasstopped.<134>Apr1907:01:57MYSERVER-MLogParser:AtiHotKeyPoller:Theservicewasstarted.<46>Apr1907:01:41MYSERVER-MLogParser:EventLog:TheEventlogservicewasstarted.<30>Apr1907:02:07MYSERVER-MLogParser:ServiceControlManager:TheTelephonyserviceenteredtherunningstate.
TheSYSLOGoutputformatcanbeoptionallyconfiguredwithaSyslogserverconfigurationfile,whichdescribestherulesusedtoforwardmessagestofiles,Syslogservers,orusers.
MessageStructureConfigurationFilesInto-EntitySyntaxParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 444
SYSLOGOutputFormatMessageStructureTheSYSLOGoutputformatgeneratesmessagesformattedaccordingtotheSyslogspecificationsdescribedinRFC3164.Syslogmessagesconsistofsixparts,andtheSYSLOGoutputformatprovidesparametersthatallowuserstoassignconstantsoroutputrecordfieldstothedifferentpartsofamessage.
AsampleSyslogmessageisformattedasfollows:
<14>Nov1116:05:33MYSERVER-MLogParser:Theservicewasstarted.
Thismessageconsistsofthefollowingparts:
PRI: <14>
ThePRIpartisboundwithanglebracketsandcontainsadecimalPriorityvalue,whichinturnisbuiltasfollows:
Thefirst7bitscontainthefacilityvalue,describingtheoriginofthemessage;Thelast3bitscontaintheseverityvalue,describingtheimportanceofthemessage.
HEADER: Nov1116:05:33MYSERVER-M
TheHEADERpartconsistsofthefollowingtwoelements:
Atimestampvalue,indicatingthelocaltimeatwhichthemessagewasgenerated;Ahostnamevalue,indicatingthehostonwhichthemessageoriginated.
MSG: LogParser:Theservicewasstarted.
Page 445
TheMSGpartconsistsofthefollowingtwoelements:
Atagvalue,indicatingthenameoftheprogramorprocessthatgeneratedthemessage,followedbyacoloncharacter(":");Acontentvalue,containingthedetailsofthemessage.
FacilityThefacilityvalueisrepresentedbytheupper7bitsofthepriorityvalueinthePRIpartofthemessage,anditdescribestheapplicationoroperatingsystemcomponentthatoriginatedthemessage.Foradetailedlistofthenumericvaluesdesignatedforwell-knownoperatingsystemcomponents,refertoRFC3164.Thefollowingtableshowsthenamesassignedtothemostcommonfacilityvalues:
NumericalValue FacilityName
0 kern
1 user
2 mail
3 daemon
4 auth
5 mark
6 lpr
7 news
8 uucp
9 cron
Page 446
10 auth2
11 ftp
12 ntp
13 logaudit
14 logalert
15 clock
16 local0
17 local1
18 local2
19 local3
20 local4
21 local5
22 local6
23 local7
Inthepreviousexamplemessage,thepriorityvalue"14"indicatesafacilityvalueof1("user").
The
facilityparameteroftheSYSLOGoutputformatallowsuserstocontrolthevalueofthefacilityfieldintheoutputmessages.Thisparametercanbesettoanyofthefollowingvalues:Anumericvalue,suchas"1"or"23";Thenameofafacilityvalue,suchas"user"or"local7";
Page 447
Thenameorthe1-basedindexofanoutputrecordfieldprependedwithadollarcharacter("$"),suchas"$MyFacility"or"$2".ThespecifiedoutputrecordfieldmustbeofeithertheINTEGERdatatype-inwhichcaseitsvaluesareassumedtobenumericalfacilityvalues,oroftheSTRINGdatatype-inwhichcaseitsvaluesareassumedtobefacilitynamesamongthosedescribedintheprevioustable.Whenanoutputrecordfieldvaluedoesnotcontainarecognizedfacilitynameoritcontainsafacilityvaluegreaterthan23,theSYSLOGoutputformatusesadefaultfacilityvalueof1("user").
ThefollowingexamplequeryreturnseventmessagesfromtheSystemeventlogtogetherwitha"MyFacility"fieldthatmapseacheventsourcetoaSyslogfacilityname:
SELECTCASESourceNameWHEN'EventLog'THEN'mark'WHEN'ServiceControlManager'THEN'daemon'WHEN'Print'THEN'lpr'WHEN'Kerberos'THEN'auth'WHEN'NETLOGON'THEN'logaudit'WHEN'ApplicationPopup'THEN'local7'ELSE'local0'ENDASMyFacility,MessageINTOSYSLOGFROMSystem
Thisquerycanbeexecutedwiththefollowingcommand,whichspecifiesthatthefacilityvalueofeachoutputmessageistoberetrievedfromthe"MyFacility"outputrecordfield:
LogParserfile:MyQuery.sql-o:SYSLOG-conf:Myconfig.conf-facility:$MyFacilityTheSyslogmessagesgeneratedbythiscommandwilllooklikethefollowingexamples:
<134>Nov1318:17:25MYSERVER-MLogParser:Theservicewasstarted.<46>Nov1318:17:46MYSERVER-MLogParser:TheEventlogservicewasstarted.<30>Nov1318:17:46MYSERVER-MLogParser:TheTelephonyserviceenteredtherunningstate.<46>Nov1318:17:46MYSERVER-MLogParser:TheEventlogservicewasstopped.<134>Nov1318:17:46MYSERVER-MLogParser:Theservicewasstarted.<46>Nov1318:17:46MYSERVER-MLogParser:TheEventlogservicewasstarted.<30>Nov1318:17:46MYSERVER-MLogParser:TheTelephonyserviceenteredtherunningstate.
Theupper7bitsofthepriorityfieldofeachofthesemessagescontainthefacilityvalueprovidedbythe"MyFacility"outputrecordfield.
SeverityTheseverityvalueisrepresentedbythelower3bitsofthepriorityvalueinthePRIpartofthemessage,anditdescribestheimportanceofthemessage.Foradetaileddescriptionofthedifferentvaluesoftheseverityfield,refertoRFC3164.
Page 448
<46>Nov1318:17:46MYSERVER-MLogParser:TheEventlogservicewasstopped.<134>Nov1318:17:46MYSERVER-MLogParser:Theservicewasstarted.<46>Nov1318:17:46MYSERVER-MLogParser:TheEventlogservicewasstarted.<30>Nov1318:17:46MYSERVER-MLogParser:TheTelephonyserviceenteredtherunningstate.
Thefollowingtableshowsthenamescommonlyassignedtothedifferentseverityvalues:
NumericalValue SeverityName
0 emerg
1 alert
2 crit
3 err
4 warning
5 notice
6 info
7 debug
Forexample,apriorityvalueof"14"indicatesaseverityvalueof6("info").
The
severityparameteroftheSYSLOGoutputformatallowsuserstocontrolthevalueoftheseverityfieldintheoutputmessages.Thisparametercanbesettoanyofthefollowingvalues:Anumericvalue,suchas"1"or"7";Thenameofaseverityvalue,suchas"alert"or"debug";Thenameorthe1-basedindexofanoutputrecordfieldprependedwithadollarcharacter("$"),suchas"$MySeverity"or"$2".ThespecifiedoutputrecordfieldmustbeofeithertheINTEGERdatatype-inwhichcaseitsvaluesareassumedtobenumericalseverityvalues,oroftheSTRINGdatatype-inwhichcaseitsvaluesareassumedtobeseveritynamesamongthosedescribedintheprevioustable.Whenanoutputrecordfieldvaluedoesnotcontainarecognized
Page 449
severitynameoritcontainsaseverityvaluegreaterthan7,theSYSLOGoutputformatusesadefaultseverityvalueof6("info").
ThefollowingexamplequeryreturnseventmessagesfromtheSystemeventlogtogetherwitha"MySeverity"fieldthatmapseacheventtypetoaSyslogseverityname:
SELECTCASEEventTypeNameWHEN'Errorevent'THEN'err'WHEN'Warningevent'THEN'warning'WHEN'Informationevent'THEN'info'ELSE'info'ENDASMySeverity,MessageINTOSYSLOGFROMSystem
Thisquerycanbeexecutedwiththefollowingcommand,whichspecifiesthattheseverityvalueofeachoutputmessageistoberetrievedfromthe"MySeverity"outputrecordfield:
LogParserfile:MyQuery.sql-o:SYSLOG-conf:Myconfig.conf-severity:$MySeverityTheSyslogmessagesgeneratedbythiscommandwilllooklikethefollowingexamples:
<14>Nov1321:42:15MYSERVER-MLogParser:TheEventlogservicewasstarted.<11>Nov1321:42:15MYSERVER-MLogParser:TheComputerBrowserserviceterminatedwithservice-specificerror2550(0x9F6).<14>Nov1321:42:15MYSERVER-MLogParser:TheTerminalServicesservicewassuccessfullysentastartcontrol.<12>Nov1321:42:15MYSERVER-MLogParser:Arequesttosuspendpowerwasdeniedbywinlogon.exe.<14>Nov1321:42:15MYSERVER-MLogParser:TheEventlogservicewasstopped.
Thelower3bitsofthepriorityfieldofeachofthesemessagescontaintheseverityvalueprovidedbythe"MySeverity"outputrecordfield.
TimestampThetimestampfieldindicatesthelocaltimeatwhichthemessagewasoriginated,anditisusuallyformattedasfollows:
Nov1116:05:33
Ifthefirstfieldinthequeryoutputrecordsisofthe
TIMESTAMPdatatype,theSYSLOGoutputformatwillusethefieldvaluestopopulatethetimestampfieldintheoutputmessages.Ontheotherhand,ifthefirstfieldisnotoftheTIMESTAMPdatatype,theSYSLOGoutputformatwillusethecurrentlocaltime.
ThefollowingexamplequeryreturnseventmessagesfromtheSystem
Page 450
eventlogtogetherwiththedateandtimeatwhichtheeventshavebeengenerated:
SELECTTimeGenerated,MessageINTOSYSLOGFROMSystemWHERESourceName='EventLog'
TheSyslogmessagesgeneratedbythisquerywilllooklikethefollowingexamples:
<14>Apr1818:48:04MYSERVER-MLogParser:TheEventlogservicewasstarted.<14>Apr1818:51:37MYSERVER-MLogParser:TheEventlogservicewasstopped.<14>Apr1819:20:07MYSERVER-MLogParser:Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.<14>Apr1819:20:07MYSERVER-MLogParser:TheEventlogservicewasstarted.<14>Apr1819:33:17MYSERVER-MLogParser:TheEventlogservicewasstopped.<14>Apr1907:01:41MYSERVER-MLogParser:Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.<14>Apr1907:01:41MYSERVER-MLogParser:TheEventlogservicewasstarted.<14>Apr1907:29:19MYSERVER-MLogParser:TheEventlogservicewasstopped.
HostnameThehostnamefieldindicatestheserveronwhichthemessageoriginated.
The
hostNameparameteroftheSYSLOGoutputformatallowsuserstocontrolthevalueofthehostnamefieldintheoutputmessages.Thisparametercanbesettoanyofthefollowingvalues:The"localhost"keyword,specifyingthatthefieldshouldbepopulatedwiththelocalcomputername;Agenericstringindicatingthedesiredhostname,suchas"MYCOMPUTER";Thenameorthe1-basedindexofanoutputrecordfieldprependedwithadollarcharacter("$"),suchas"$MyHostname"or"$2".ThespecifiedoutputrecordfieldmustbeoftheSTRINGdatatype,anditsvalueswillbeusedtopopulatethehostnamefieldintheoutputmessages.
Whennovalueisspecifiedforthe"hostName"parameter,thehostnamefieldisautomaticallypopulatedwiththelocalcomputername.
ThefollowingexamplequeryreturnseventmessagesfromtheSystemeventlogofdifferentcomputers,togetherwiththecomputernameonwhichtheeventoriginated:
Page 451
SELECTMessage,ComputerNameINTOSYSLOGFROM\\MYSERVER01\System,\\MYSERVER02\System,\\MYSERVER03\System
Thisquerycanbeexecutedwiththefollowingcommand,whichspecifiesthatthehostnamefieldofeachoutputmessageistoberetrievedfromthesecondoutputrecordfield:
LogParserfile:MyQuery.sql-o:SYSLOG-conf:Myconfig.conf-hostName:$2
TheSyslogmessagesgeneratedbythiscommandwilllooklikethefollowingexamples:
<14>Nov1322:07:11MYSERVER03LogParser:Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.<14>Nov1322:07:11MYSERVER03LogParser:TheEventlogservicewasstarted.<14>Nov1322:07:11MYSERVER01LogParser:TheTerminalServicesservicewassuccessfullysentastartcontrol.<14>Nov1322:07:11MYSERVER02LogParser:TheNetworkConnectionsservicewassuccessfullysentastartcontrol.<14>Nov1322:07:11MYSERVER01LogParser:TheTerminalServicesserviceenteredtherunningstate.<14>Nov1322:07:11MYSERVER02LogParser:TheNetworkConnectionsserviceenteredtherunningstate.<14>Nov1322:07:11MYSERVER02LogParser:TheSSDPDiscoveryServiceservicewassuccessfullysentastartcontrol.<14>Nov1322:07:11MYSERVER03LogParser:TheSSDPDiscoveryServiceservicewassuccessfullysentastartcontrol.
TagThetagfieldindicatesthenameoftheprogramorprocessthatgeneratedthemessage.
The
processNameparameteroftheSYSLOGoutputformatallowsuserstocontrolthevalueofthetagfieldintheoutputmessages.Thisparametercanbesettoanyofthefollowingvalues:Agenericstringindicatingthedesiredtagfieldvalue,suchas"MyReports";Thenameorthe1-basedindexofanoutputrecordfieldprependedwithadollarcharacter("$"),suchas"$MyProgram"or"$2".ThespecifiedoutputrecordfieldmustbeoftheSTRINGdatatype,anditsvalueswillbeusedtopopulatethetagfieldintheoutputmessages.
Whennovalueisspecifiedforthe"processName"parameter,thetagfieldisautomaticallypopulatedwith"LogParser:".
ContentThecontentfieldcontainsthedetailsofthemessage,anditsvalueisbuiltbytheSYSLOGoutputformatbyconcatenatingthevaluesofallthe
Page 452
outputrecordfields,excludingthosefieldsthatareusedforthevaluesofthe
facility,severity,timestamp,hostname,andtagmessagefields.
ThefollowingexamplequeryreturnsinformationfromtheSystemeventlog:
SELECTSourceName,EventTypeName,EventCategoryName,MessageINTOSYSLOGFROMSystem
TheSyslogmessagesgeneratedbythisquerywilllooklikethefollowingexamples:
<14>Nov1322:27:17MYSERVER-MLogParser:EventLogInformationeventNoneMicrosoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.<14>Nov1322:27:17MYSERVER-MLogParser:EventLogInformationeventNoneTheEventlogservicewasstarted.<14>Nov1322:27:17MYSERVER-MLogParser:ServiceControlManagerErroreventNoneTheComputerBrowserserviceterminatedwithservice-specificerror2550(0x9F6).<14>Nov1322:27:17MYSERVER-MLogParser:EventLogInformationeventNoneTheEventlogservicewasstopped.<14>Nov1322:27:17MYSERVER-MLogParser:AtiHotKeyPollerInformationeventNoneTheservicewasstarted.<14>Nov1322:27:17MYSERVER-MLogParser:EventLogInformationeventNoneMicrosoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.<14>Nov1322:27:17MYSERVER-MLogParser:EventLogInformationeventNoneTheEventlogservicewasstarted.<14>Nov1322:27:17MYSERVER-MLogParser:EventLogInformationeventNoneTheEventlogservicewasstopped.
©2004MicrosoftCorporation.Allrightsreserved.
Page 453
SYSLOGOutputFormatConfigurationFilesMessagesgeneratedbytheSYSLOGoutputformatcanbeforwardedtoanyofthefollowingthreepossibledestinations:
ASyslogserver;Atextfile;Auser,throughtheWindowsalerterandmessengerservices.
TheconfparameteroftheSYSLOGoutputformatallowsuserstospecifyaconfigurationfileresemblingthestandard"syslog.conf"filethatdescribestherulesusedtoforwardmessagestodifferentdestinations.TheserulesassociatevaluesofthefacilityandseveritymessagefieldswithspecificSyslogservers,textfiles,orusers.
Eachlineinaconfigurationfileiseitheracommentbeginningwiththepoundcharacter("#"),oraconfigurationentry.Configurationentrieshavethefollowingsyntax:
<config_entry> ::= <selector><action>
<selector> ::= <facilities>.<severity>
<facilities> ::= <facility>[,<facility>...]
<facility> ::= kern|user|mail|daemon|auth|mark|lpr|news|uucp|cron|auth2|ftp|ntp|logaudit|logalert|clock|local0|local1|local2|local3|local4|local5|local6|local7|*
<severity> ::= emerg|alert|crit|err|warning|notice|info|debug
<action> ::= <send_server>|<send_file>|
Page 454
<send_user>
<send_server> ::= @<server_name>[:<port>]
<send_file> ::= <filepath>|STDOUT
<send_user> ::= <user_name>
Aconfigurationentryiscomposedofaselectorandanaction,separatedbyspacesortabcharacters.Aselectorisacomma-separatedlistoffacilitynamesfollowedbyadot(".")andfollowedbyaseverityname.Thespecial"*"wildcardmeans"allfacilities".Messageswhosefacilityisincludedintheselector'ssetoffacilitiesandwhoseseverityisgreaterthanorequaltotheselector'sseverityareforwardedtothedestinationspecifiedintheaction.
Anactioncanspecifyanyofthefollowingdestinations:
ThenameoraddressofaSyslogserver,precededbyanatcharacter("@")andoptionallyfollowedbyaportnumber;whennoportnumberisspecified,theSYSLOGoutputformatwilluseport514;Thepathofanoutputfilename;TheSTDOUTkeyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput);Thenameofauser.
ThefollowingexampleshowsaSYSLOGoutputformatconfigurationfile:
##SampleSYSLOGoutputformatconfigurationfile#auth.err@MYSERVER01*.debugSTDOUT*.infoC:\MyLogs\Infos.txt
Thisconfigurationfiledefinesthefollowingrules:Messagesfromthe"auth"facilitywithaseveritygreaterthanorequalto"err"areforwardedtothe"MYSERVER01"Syslogserveronport514;
Page 455
kern.emergMYUSERlocal0,[email protected] :515Allmessageshavingaseveritygreaterthanorequalto"debug"aredisplayedintheconsoleoutput;Allmessageshavingaseveritygreaterthanorequalto"info"arewrittentothe"C:\MyLogs\Infos.txt"textfile;Messagesfromthe"kern"facilitywithaseveritygreaterthanorequalto"emerg"aresenttothe"MYUSER"user;Messagesfromthe"local0"or"local1"facilitieswithaseveritygreaterthanorequalto"emerg"areforwardedtotheSyslogserverwithaddress192.168.1.100onport515.
Messagesmatchingmorethanoneruleareforwardedtoallthespecifieddestinations.Forexample,withtheaboveconfigurationfile,messageshavingaseveritygreaterthanorequalto"debug"arebothdisplayedintheconsoleoutputandwrittentothe"C:\MyLogs\Infos.txt"textfile.
Actionscanalsobespecifiedintheinto-entityofthequery.Theseactionsareprocessedasruleshavingaselectorthatmatchesallmessages,witha"*"facilityvalueandan"emerg"severityvalue.
©2004MicrosoftCorporation.Allrightsreserved.
Page 456
SYSLOGOutputFormatInto-EntitySyntax<into-entity> ::= <action>[,<action>...]|
SYSLOG
<action> ::= <send_server>|<send_file>|<send_user>
<send_server> ::= @<server_name>[:<port>]
<send_file> ::= <filepath>|STDOUT
<send_user> ::= <user_name>
The<into-entity>specifiedinqueriesusingtheSYSLOGoutputformatiseitherthe"SYSLOG"keyword,whichspecifiesthatmessagesshouldbeforwardedaccordingtotherulesintheconfigurationfilespecifiedfortheconfparameter,oracomma-separatedlistofactions,whereeachactioniseither:
ThenameoraddressofaSyslogserver,precededbyanatcharacter("@")andoptionallyfollowedbyaportnumber;whennoportnumberisspecified,theSYSLOGoutputformatwilluseport514;Thepathofanoutputfilename;TheSTDOUTkeyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput);Thenameofauser,towhichSyslogmessageswillbesentthroughtheWindowsalerterandmessengerservices.
Whenaconfigurationfilehasbeenspecifiedthroughthe"conf"parameter,queriesareallowedtonotprovideanINTOclauseatall;ifanINTOclauseisused,itsinto-entitymustbespecifiedas"SYSLOG".
Page 457
Whenaconfigurationfilehasnotbeenspecified,theINTOclauseismandatoryanditmustcontainatleastonevalidaction.
Actionsspecifiedintheinto-entityareprocessedasconfigurationruleshavingaselectorthatmatchesallmessages,witha"*"facilityvalueandan"emerg"severityvalue.
Examples:
INTOSYSLOG
INTO@MYSERVER02:515
INTO\\COMPUTER01\Reports\report.txt
INTOMYUSER
INTO@MYSERVER01,C:\MyLogs\Infos.txt,STDOUT,MYUSER,@192.168.1.100:515
©2004MicrosoftCorporation.Allrightsreserved.
Page 458
SYSLOGOutputFormatParametersTheSYSLOGoutputformatsupportsthefollowingparameters:
conf
Values: filepath
Default: notspecified
Description: Syslogconfigurationfile.
Details: Thisparameterspecifiesthepathtoaconfigurationfilethatdescribestherulesusedtoforwardmessagestodifferentdestinations.Whenthisparameterisused,queriesareallowedtonotprovideanINTOclauseatall;ifanINTOclauseisused,itsinto-entitymustbespecifiedas"SYSLOG".Formoreinformationonconfigurationfiles,seeSYSLOGOutputFormatConfigurationFiles.
Example: -conf:C:\mysyslog.confseverity
Values: <numeric_value>|<name>|$<field_name>|$<field_index>
Default: info
Description: Messageseveritylevel.
Details: Thisparametercontrolsthevalueoftheseverityfieldoftheoutputmessages.Thepossiblevaluesforthisparameterare:Anumericvalue,suchas"1"or"7";Thenameofaseverityvalue,suchas"alert"or"debug";Thenameorthe1-basedindexofanoutputrecord
Page 459
fieldprependedwithadollarcharacter("$"),suchas"$MySeverity"or"$2".ThespecifiedoutputrecordfieldmustbeofeithertheINTEGERdatatype-inwhichcaseitsvaluesareassumedtobenumericalseverityvalues,oroftheSTRINGdatatype-inwhichcaseitsvaluesareassumedtobeseveritynamesamongthosedescribedintheprevioustable.Whenanoutputrecordfieldvaluedoesnotcontainarecognizedseveritynameoritcontainsaseverityvaluegreaterthan7,theSYSLOGoutputformatusesadefaultseverityvalueof6("info").
Formoreinformationontheseverityfieldoftheoutputmessages,seeSYSLOGOutputFormatMessageStructure.
Examples: -severity:1-severity:alert-severity:$MySeverity-severity:$2
facility
Values: <numeric_value>|<name>|$<field_name>|$<field_index>
Default: user
Description: Messagefacility.
Details: Thisparametercontrolsthevalueofthefacilityfieldoftheoutputmessages.Thepossiblevaluesforthisparameterare:Anumericvalue,suchas"1"or"23";Thenameofafacilityvalue,suchas"user"or"local7";Thenameorthe1-basedindexofanoutputrecordfieldprependedwithadollarcharacter("$"),suchas
Page 460
"$MyFacility"or"$2".ThespecifiedoutputrecordfieldmustbeofeithertheINTEGERdatatype-inwhichcaseitsvaluesareassumedtobenumericalfacilityvalues,oroftheSTRINGdatatype-inwhichcaseitsvaluesareassumedtobefacilitynamesamongthosedescribedintheprevioustable.Whenanoutputrecordfieldvaluedoesnotcontainarecognizedfacilitynameoritcontainsafacilityvaluegreaterthan23,theSYSLOGoutputformatusesadefaultfacilityvalueof1("user").
Formoreinformationonthefacilityfieldoftheoutputmessages,seeSYSLOGOutputFormatMessageStructure.
Examples: -facility:23-facility:local7-facility:$MyFacility-facility:$2
oTsFormat
Values: timestampformat
Default: MMMdphh:mm:ss
Description: Formatofthetimestampfield.
Details: Thisparameterspecifiestheformatofthetimestampfieldoftheoutputmessages.Formoreinformationondateandtimeformats,seeTimestampFormatSpecifiers.Formoreinformationonthetimestampfieldoftheoutputmessages,seeSYSLOGOutputFormatMessageStructure.
Example: -oTsFormat:"MMMdd,yyyy"
Page 461
hostName
Values: localhost|<name>|$<field_name>|$<field_index>
Default: localhost
Description: Valueofthehostnamefield.
Details: Thisparametercontrolsthevalueofthehostnamefieldoftheoutputmessages.Thepossiblevaluesforthisparameterare:The"localhost"keyword,specifyingthatthefieldshouldbepopulatedwiththelocalcomputername;Agenericstringindicatingthedesiredhostname,suchas"MYCOMPUTER";Thenameorthe1-basedindexofanoutputrecordfieldprependedwithadollarcharacter("$"),suchas"$MyHostname"or"$2".ThespecifiedoutputrecordfieldmustbeoftheSTRINGdatatype,anditsvalueswillbeusedtopopulatethehostnamefieldintheoutputmessages.
Formoreinformationonthehostnamefieldoftheoutputmessages,seeSYSLOGOutputFormatMessageStructure.
Examples: -hostName:MYCOMPUTER-hostName:$MyHostname-hostName:$2
processName
Values: <name>|$<field_name>|$<field_index>
Default: LogParser:
Description: Valueofthetagfield.
Details: Thisparametercontrolsthevalueofthetagfieldofthe
Page 462
outputmessages.Thepossiblevaluesforthisparameterare:Agenericstringindicatingthedesiredtagfieldvalue,suchas"MyReports";Thenameorthe1-basedindexofanoutputrecordfieldprependedwithadollarcharacter("$"),suchas"$MyProgram"or"$2".ThespecifiedoutputrecordfieldmustbeoftheSTRINGdatatype,anditsvalueswillbeusedtopopulatethetagfieldintheoutputmessages.
Formoreinformationonthetagfieldoftheoutputmessages,seeSYSLOGOutputFormatMessageStructure.
Examples: -processName:MyReports-processName:$MyProgram-processName:$2
separator
Values: anystring|space|tab
Default: space
Description: Separatorbetweenfields.
Details: Thisparametercontrolstheseparatortobeusedbetweenthemessagefields.The"tab"keywordcausestheSYSLOGoutputformattouseasingletabcharacterbetweenthefields,whilethe"space"keywordcausestheSYSLOGoutputformattouseasinglespacecharacter.
Example: -separator:tabmaxPacketSize
Values: numberofbytes
Page 463
Default: 1024
Description: Maximummessagesize.
Details: ThisparametercontrolsthemaximumsizeofthemessagesgeneratedbytheSYSLOGoutputformat.Messageswhosesizeexceedsthevaluespecifiedforthisparameterareeithertruncatedordiscarded,dependingonthevalueofthe"discardOversized"parameter.
Example: -maxPacketSize:8192discardOversized
Values: ON|OFF
Default: OFF
Description: Discardoversizedmessages.
Details: Whenthisparameterissetto"ON",theSYSLOGoutputformatdiscardsmessageswhosesizeexceedsthevaluespecifiedforthe"maxPacketSize"parameter.Whenthisparameterissetto"OFF",theSYSLOGoutputformattruncatesoversizedmessagestothesizespecifiedwiththe"maxPacketSize"parameter.
Example: -discardOversized:ONprotocol
Values: UDP|TCP
Default: UDP
Description: Protocolusedfortransmission.
Details: ThisparameterspecifiestheprotocoltousewhensendingmessagestoSyslogservers.
Page 464
Example: -protocol:TCP
sourcePort
Values: portnumber|*
Default: *
Description: Sourceporttousefortransmission.
Details: ThisparameterspecifiesthesourceporttousewhensendingmessagestoSyslogservers.Specifying"*"causestheSYSLOGoutputformattochooseanyavailableportnumber.
Example: -sourcePort:514ignoreDspchErrs
Values: ON|OFF
Default: OFF
Description: Ignoredispatcherrors.
Details: Settingthisparameterto"ON"causestheSYSLOGoutputformattobuffererrorsoccurringwhiletransmittingmessagestoSyslogserversorusers,reportingalltheerrorsaswarningswhenthequeryexecutionhascompleted.Settingthisparameterto"OFF"causestheSYSLOGoutputformattoreporterrorsastheyoccur,abortingtheexecutionofthequery.
Example: -ignoreDspchErrs:ONoCodepage
Values: codepageID(number)
Page 465
Default: 0
Description: Codepageoftheoutputmessagetext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245
©2004MicrosoftCorporation.Allrightsreserved.
Page 466
SYSLOGOutputFormatExamplesExportSystemEventLogExporteventsfromtheSystemeventlogtoaSyslogserverandtoalocalfile:
SELECTTimeGenerated,CASESourceNameWHEN'EventLog'THEN'mark'WHEN'ServiceControlManager'THEN'daemon'WHEN'Print'THEN'lpr'WHEN'Kerberos'THEN'auth'WHEN'NETLOGON'THEN'logaudit'WHEN'ApplicationPopup'THEN'local7'ELSE'local0'ENDASMyFacility,CASEEventTypeNameWHEN'Errorevent'THEN'err'WHEN'Warningevent'THEN'warning'WHEN'Informationevent'THEN'info'ELSE'info'ENDASMySeverity,ComputerName,STRCAT(SourceName,':'),MessageINTO@MYSERVER04,Log.txtFROMSystem
Thisquerycanbeexecutedwiththefollowingcommand:
LogParserfile:MyQuery.sql-o:SYSLOG-facility:$MyFacility-severity:$MySeverity-hostName:$ComputerNameTheoutputwilllooklikethefollowingsample:
<46>Apr1818:48:04MYSERVER-MLogParser:EventLog:TheEventlogservicewasstarted.<30>Apr1818:48:27MYSERVER-MLogParser:ServiceControlManager:TheTelephonyserviceenteredtherunningstate.<46>Apr1818:51:37MYSERVER-MLogParser:EventLog:TheEventlogservicewasstopped.<134>Apr1819:20:23MYSERVER-MLogParser:AtiHotKeyPoller:Theservicewasstarted.<46>Apr1819:20:07MYSERVER-MLogParser:EventLog:TheEventlogservicewasstarted.<30>Apr1819:20:47MYSERVER-MLogParser:ServiceControlManager:TheTelephonyserviceenteredtherunningstate.<46>Apr1819:33:17MYSERVER-MLogParser:EventLog:TheEventlogservicewasstopped.<134>Apr1907:01:57MYSERVER-MLogParser:AtiHotKeyPoller:Theservicewasstarted.<46>Apr1907:01:41MYSERVER-MLogParser:EventLog:TheEventlogservicewasstarted.<30>Apr1907:02:07MYSERVER-MLogParser:ServiceControlManager:TheTelephonyserviceenteredtherunningstate.
IISLogErrorEntriesSenderrorentriesintheIISlogtoaSyslogserver:
SELECTTO_TIMESTAMP(date,time),CASEsc-statusWHEN500THEN'emerg'ELSE'err'ENDASMySeverity,s-computernameASMyHostname,cs-uri-stem,sc-statusINTO@MYSERVER04FROM<1>WHEREsc-status>=400
Thisquerycanbeexecutedwiththefollowingcommand:
LogParserfile:MyQuery.sql-o:SYSLOG-facility:logalert-severity:$MySeverity-hostName:$MyHostname-processName:IIS:Themessageswilllooklikethefollowingsamples:
<115>Nov1800:28:43MYSERVER04IIS:/images/tibg.gif404<115>Nov1800:28:44MYSERVER04IIS:/aa.css404<115>Nov1800:28:59MYSERVER04IIS:/images/tibg.gif404<115>Nov1800:29:00MYSERVER04IIS:/aa.css404<115>Nov1800:29:01MYSERVER04IIS:/images/tibg.gif404<115>Nov1800:29:02MYSERVER04IIS:/images/tibg.gif404
©2004MicrosoftCorporation.Allrightsreserved.
Page 467
<115>Nov1800:29:04MYSERVER04IIS:/gorice/rulesinfo.nsf403<115>Nov1800:29:05MYSERVER04IIS:/_vti_inf.html404<112>Nov1800:29:05MYSERVER04IIS:/_vti_bin/shtml.dll500<115>Nov1800:31:51MYSERVER04IIS:/na/index.html404
Page 468
TPLOutputFormatTheTPLoutputformatwritesoutputrecordsformattedaccordingtouser-definedtemplates.
Templatesaretextfilesdividedintothreesections-aheader,abody,andafooter-containingvariablesthatrefertothevaluesandnamesoftheoutputrecordfields.Duringtheoutputgenerationstage,theTPLoutputformatsubstitutesthevariableswiththevaluesoftheoutputrecordfields,generatingtextfilesformattedaccordingtotheuserspecifications.
TheflexibilityoftheTPLoutputformatallowsuserstogenerateHTMLfiles,XMLfiles,andgenerictextfilesinalmostanyformat.
TemplateFilesInto-EntitySyntaxParametersExamples
©2004MicrosoftCorporation.Allrightsreserved.
Page 469
TPLOutputFormatTemplateFilesTemplatefilesaredividedintothreesections:anoptionalheadersectionthatiswrittenonceatthebeginningoftheoutput,abodysectionthatiswrittenrepeatedlyforeachoutputrecord,andanoptionalfootersectionthatiswrittenonceattheendoftheoutput.Thebodysectioncancontainspecialvariablesthataresubstitutedatruntimewithvaluescomputedduringtheexecutionofthequery,suchasvaluesandnamesofoutputrecordfields,andthenumberoffieldsintheoutputrecords.Theheaderandfootersectionscancontainthesamevariablesavailabletothebodysection,exceptforthosethatrefertovaluesofoutputrecordfields.
Templatefilescanbespecifiedintwodifferentways:asrawformattemplates,orasstructuredformattemplates.
RawFormatTemplatesIntherawformat,thethreetemplatesectionsarespecifiedasthreedifferentfiles.Thetemplatefilecontainingthebodysectionisspecifiedusingthetplparameter,whiletheoptionalheaderandfootersectionsarespecifiedwiththetplHeaderandtplFooterparameters,respectively.
Thefollowingisasamplerawformattemplatefilecontainingthebodysection:
TheUrl%cs-uri-stem%,requestedby%c-ip%,took%time-taken%millisecondstoexecute.Itwasrequestedat%time%o’clock.ThefollowingcommandparsesanIISlogfileandcreatesatextfileformattedaccordingtothetemplatefile:
LogParser"SELECT*INTOout.txtFROMextend1.log"-o:TPL-tpl:mytemplate.tplTheresultingoutputwilllooklikethefollowingexample:
Page 470
TheUrl/default.htm,requestedby192.168.1.102,took24millisecondstoexecute.Itwasrequestedat04:23:45o’clock.TheUrl/mydocuments/index.html,requestedby192.168.1.104,took134millisecondstoexecute.Itwasrequestedat04:23:47o’clock.TheUrl/mydocuments/styles/style.css,requestedby192.168.1.101,took49millisecondstoexecute.Itwasrequestedat04:23:48o’clock.
StructuredFormatTemplatesInthestructuredformat,asingletemplatefilecontainstheheader,body,andfootersections,eachenclosedwithinspecial<LPHEADER>,<LPBODY>,and<LPFOOTER>tagsthatmarktheboundariesofeachsection.Structuredformattemplatefilesarespecifiedusingthetplparameter.
Thefollowingisasamplestructuredformattemplatefile:
<LPHEADER>Thisismytemplate,foraquerycontaining%FIELDS_NUM%fields,executedby%USERNAME%.</LPHEADER>Someignoredcommenthere.<LPBODY>TheUrl%cs-uri-stem%,requestedby%c-ip%,took%time-taken%millisecondstoexecute.Itwasrequestedat%time%o’clock.</LPBODY><LPFOOTER>Endofreport.</LPFOOTER>
ThefollowingcommandparsesanIISlogfileandcreatesatextfileformattedaccordingtothetemplatefile:
LogParser"SELECT*INTOout.txtFROMextend1.log"-o:TPL-tpl:mytemplate.tplTheresultingoutputwilllooklikethefollowingexample:
Thisismytemplate,foraquerycontaining32fields,executedbyTestUser.TheUrl/default.htm,requestedby192.168.1.102,took24millisecondstoexecute.Itwasrequestedat04:23:45o’clock.TheUrl/mydocuments/index.html,requestedby192.168.1.104,took134millisecondstoexecute.Itwasrequestedat04:23:47o’clock.TheUrl/mydocuments/styles/style.css,requestedby192.168.1.101,took49millisecondstoexecute.Itwasrequestedat04:23:48o’clock.Endofreport.
Note:TheTPLoutputformatassumesthatthecharacterimmediatelyfollowingtheopeningtagforasection,suchas<LPBODY>,belongstothatsection.
TemplateVariablesThefollowingtableliststhevariablesthatareavailabletotemplatefiles:
Variable Description ExampleTemplate
%FIELD_n% Valueoftheoutput
Firstfieldvalue:%FIELD_1%
Page 471
recordfieldwiththespecified1-basedindex
%field_name% Valueofthespecifiedoutputrecordfield
Firstfieldvalue:%SourceName%
%FIELDNAME_n% Nameoftheoutputrecordfieldwiththespecified1-basedindex
%FIELDNAME_1%value:%FIELD_1%
%FIELDS_NUM% Numberofoutputrecordfields
Thereare%FIELDS_NUM%fields.
%SYSTEM_TIMESTAMP% Currentsystemdateandtime,inUTCcoordinates
Generatedat%SYSTEM_TIMESTAMP%
%environment_variable% Valueofthespecifiedenvironment
variable1
Generatedby%USERNAME%
Page 472
Notes:(1):Whenavariablematchesbothafieldnameandanenvironmentvariable,thefieldvalueissubstituted.
©2004MicrosoftCorporation.Allrightsreserved.
Page 473
TPLOutputFormatInto-EntitySyntax<into-entity> ::= <filename>|
STDOUT
The<into-entity>specifiedinqueriesusingtheTPLoutputformatiseither:
Afilename;The"STDOUT"keyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput).
Thedefaultinto-entityforqueriesthatdonotspecifyanINTOclauseis"STDOUT".
TheTPLoutputformatsupportsthemultiplexfeature,whichcanbeenabledbyspecifying'*'wildcardsintheinto-entityfilename.Thisfeatureallowsoutputrecordstobewrittentodifferentfilesdependingonthevaluesoftheirfields.Formoreinformationonthemultiplexfeature,seeMultiplexingOutputRecords.
Examples:
INTOMyPage.html
INTO\\COMPUTER01\Reports\report.txt
INTOSTDOUT
INTOReports_*_*\Report*.txt
©2004MicrosoftCorporation.Allrightsreserved.
Page 474
TPLOutputFormatParametersTheTPLoutputformatsupportsthefollowingparameters:
tpl
Values: filepath
Default: notspecified
Description: Templatefile.
Details: Whenusingrawformattemplatefiles,thisparameterspecifiesthetemplatefilecontainingthebodysection.Whenusingstructuredformattemplatefiles,thisparameterspecifiesthesingletemplatefilethatcontainstheheader,body,andfootersections.Formoreinformationontemplatefiles,seeTemplateFiles.
Example: -tpl:MyTemplate.tpltplHeader
Values: filepath
Default: notspecified
Description: Templateheaderfile.
Details: Whenusingrawformattemplatefiles,thisparameterspecifiesthetemplatefilecontainingtheheadersection.Whenusingstructuredformattemplatefiles,thisparameterspecifiesarawformattemplatefilethatoverridesthe<LPHEADER>sectionofthestructuredformattemplatefilespecifiedwiththe"tpl"parameter.Formoreinformationontemplatefiles,seeTemplateFiles.
Page 475
Example: -tplHeader:MyTemplateHeader.tpltplFooter
Values: filepath
Default: notspecified
Description: Templatefooterfile.
Details: Whenusingrawformattemplatefiles,thisparameterspecifiesthetemplatefilecontainingthefootersection.Whenusingstructuredformattemplatefiles,thisparameterspecifiesarawformattemplatefilethatoverridesthe<LPFOOTER>sectionofthestructuredformattemplatefilespecifiedwiththe"tpl"parameter.Formoreinformationontemplatefiles,seeTemplateFiles.
Example: -tplFooter:MyTemplateFooter.tplnoEmptyFile
Values: ON|OFF
Default: ON
Description: Donotgenerateemptyfiles.
Details: Whenaquerydoesnotproduceoutputrecords,theTPLoutputformatdoesnotwriteabodysection,andtheresultingoutputfilecouldbeempty.Settingthisparameterto"ON"causestheTPLoutputformattoavoidgeneratinganemptyfileinthesesituations.
Example: -noEmptyFile:OFFoCodepage
Values: codepageID(number)
Page 476
Default: 0
Description: Codepageoftheoutputtext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245fileMode
Values: 0|1|2
Default: 1
Description: Actiontoperformwhenanoutputfilealreadyexists.
Details: ThisparametercontrolsthebehavioroftheTPLoutputformatwhentheinto-entityspecifiesdirectlyorindirectlythroughthe"multiplex"featurethenameofafilethatalreadyexists.Thepossiblevaluesforthisparameterare:0:existingfilesareappendedwiththeoutput;1:existingfilesareoverwrittenwiththeoutput;2:existingfilesareleftintact,discardingtheoutput.
Example: -fileMode:0
©2004MicrosoftCorporation.Allrightsreserved.
Page 477
TPLOutputFormatExamplesLast50SecurityEventsCreateanHTMLpagecontainingthemostrecent50eventsfromtheSecurityeventlog:
LogParser"SELECTTOP50TimeGenerated,SourceName,EventID,MessageINTOEvents.htmlFROMSecurity"-i:EVT-direction:BW-o:TPL-tpl:HTMLBody.txt-tplHeader:HTMLHeader.txt-tplFooter:HTMLFooter.txt
MSDNBLogsChannelTitlesDisplaytitlesofcurrentchannelsonMSDNBLogs:
LogParser"SELECTtitleINTOchannels.txtFROMhttp://blogs.msdn.com/MainFeed.aspx#/rss/channel/item"-i:XML-fMode:Tree-o:TPL-tpl:mytemplate.tpl
©2004MicrosoftCorporation.Allrightsreserved.
Page 478
TSVOutputFormatTheTSVoutputformatwritesoutputrecordsastab-separatedorspace-separatedvaluestext.
TheoutputoftheTSVoutputformatconsistsofmultiplelinesoftext,onelineforeachoutputrecord.Eachlinecontainsthevaluesoftheoutputrecordfields,separatedbyeitheratabcharacteroraspacecharacter,dependingonthevalueoftheoSeparatorparameter.Ifenabledthroughtheheadersparameter,thefirstlineintheoutputisa"header"thatcontainsthenamesofthefields.
ThefollowingsampleshowstheoutputoftheTSVoutputformatwhenusingthedefaultvaluesforitsparameters:
EventID SourceName EventType TimeGenerated6009 EventLog4 2004-04-1818:48:046005 EventLog4 2004-04-1818:48:047024 ServiceControlManager 1 2004-04-1818:48:277035 ServiceControlManager 4 2004-04-1818:48:277035 ServiceControlManager 4 2004-04-1818:48:277036 ServiceControlManager 4 2004-04-1818:48:277036 ServiceControlManager 4 2004-04-1818:48:277035 ServiceControlManager 4 2004-04-1818:48:277036 ServiceControlManager 4 2004-04-1818:48:277035 ServiceControlManager 4 2004-04-1818:48:277036 ServiceControlManager 4 2004-04-1818:48:277035 ServiceControlManager 4 2004-04-1818:48:277036 ServiceControlManager 4 2004-04-1818:48:277035 ServiceControlManager 4 2004-04-1818:48:277036 ServiceControlManager 4 2004-04-1818:48:277036 ServiceControlManager 4 2004-04-1818:48:277035 ServiceControlManager 4 2004-04-1818:48:367036 ServiceControlManager 4 2004-04-1818:51:267036 ServiceControlManager 4 2004-04-1818:51:296006 EventLog4 2004-04-1818:51:37
Into-EntitySyntaxParametersExamples
Seealso:CSVOutputFormatTSVInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 479
TSVOutputFormatInto-EntitySyntax<into-entity> ::= <filename>|
STDOUT
The<into-entity>specifiedinqueriesusingtheTSVoutputformatiseither:
Afilename;The"STDOUT"keyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput).
Thedefaultinto-entityforqueriesthatdonotspecifyanINTOclauseis"STDOUT".
TheTSVoutputformatsupportsthemultiplexfeature,whichcanbeenabledbyspecifying'*'wildcardsintheinto-entityfilename.Thisfeatureallowsoutputrecordstobewrittentodifferentfilesdependingonthevaluesoftheirfields.Formoreinformationonthemultiplexfeature,seeMultiplexingOutputRecords.
Examples:
INTOreport.tsv
INTO\\COMPUTER01\Reports\report.tsv
INTOSTDOUT
INTOReports_*_*\Report*.tsv
©2004MicrosoftCorporation.Allrightsreserved.
Page 480
TSVOutputFormatParametersTheTSVoutputformatsupportsthefollowingparameters:
headers
Values: ON|OFF|AUTO
Default: AUTO
Description: Writeaheaderlinecontainingthefieldnames.
Details: Thisparametercontrolstheheaderlinethatisoutputatthebeginningofeachfile.Thepossiblevaluesforthisparameterare:ON:alwayswritetheheader;OFF:neverwritetheheader;AUTO:writetheheaderonlywhennotappendingtoanexistingfile.
Example: -headers:OFFoSeparator
Values: anystring|space|tab
Default: tab
Description: Separatorbetweenfields.
Details: Thisparametercontrolstheseparatortobeusedbetweenfieldvalues.The"tab"keywordcausestheTSVoutputformattouseasingletabcharacterbetweenthefields,whilethe"space"keywordcausestheTSVoutputformattouseasinglespacecharacter.
Example: -oSeparator:space
Page 481
oTsFormat
Values: timestampformat
Default: yyyy-MM-ddhh:mm:ss
Description: FormatoftimestampvaluesintheoutputTSVdata.
Details: Thisparameterspecifiesthedateand/ortimeformattousewhenformattingvaluesoftheTIMESTAMPdatatype.Formoreinformationondateandtimeformats,seeTimestampFormatSpecifiers.
Example: -oTsFormat:"MMMdd,yyyy"oCodepage
Values: codepageID(number)
Default: 0
Description: Codepageoftheoutputtext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245fileMode
Values: 0|1|2
Default: 1
Description: Actiontoperformwhenanoutputfilealreadyexists.
Details: ThisparametercontrolsthebehavioroftheTSVoutputformatwhentheinto-entityspecifiesdirectlyorindirectlythroughthe"multiplex"featurethenameofafilethatalreadyexists.Thepossiblevaluesforthisparameterare:0:existingfilesareappendedwiththeoutput;
Page 482
1:existingfilesareoverwrittenwiththeoutput;2:existingfilesareleftintact,discardingtheoutput.
Example: -fileMode:0
©2004MicrosoftCorporation.Allrightsreserved.
Page 483
TSVOutputFormatExamplesFileInformationCreateaTSVfilecontaininginformationonthefilescontainedinthespecifieddirectory:
LogParser"SELECTPath,Name,Size,AttributesINTOFiles.tsvFROMC:\Test\*.*"-i:FS-o:TSV-recurse:0
SecurityEventsRetrievethe10latesteventsfromtheSecurityeventlogandwritetheirinformationtoaTSVfileforeacheventID:
LogParser"SELECTTOP10EventID,EventTypeName,MessageINTOEvents_*.tsvFROMSecurity"-i:EVT-direction:BW-o:TSV
©2004MicrosoftCorporation.Allrightsreserved.
Page 484
W3COutputFormatTheW3CoutputformatwritesoutputrecordsintheW3CExtendedLogFileFormat.
ThefollowingexampleshowsasampleoutputgeneratedbytheW3Coutputformat:
#Software:MicrosoftLogParser#Version:1.0#Date:2004-10-2514:20:40#Fields:datetimes-ids-types-category2004-04-1818:48:046009402004-04-1818:48:046005402004-04-1818:48:277024102004-04-1818:48:277035402004-04-1818:48:277035402004-04-1818:48:277036402004-04-1818:48:277036402004-04-1818:48:277035402004-04-1818:48:27703640
Into-EntitySyntaxParametersExamples
Seealso:W3CInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 485
W3COutputFormatInto-EntitySyntax<into-entity> ::= <filename>|
STDOUT
The<into-entity>specifiedinqueriesusingtheW3Coutputformatiseither:
Afilename;The"STDOUT"keyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput).
Thedefaultinto-entityforqueriesthatdonotspecifyanINTOclauseis"STDOUT".
TheW3Coutputformatsupportsthemultiplexfeature,whichcanbeenabledbyspecifying'*'wildcardsintheinto-entityfilename.Thisfeatureallowsoutputrecordstobewrittentodifferentfilesdependingonthevaluesoftheirfields.Formoreinformationonthemultiplexfeature,seeMultiplexingOutputRecords.
Examples:
INTOreport.log
INTO\\COMPUTER01\Reports\report.log
INTOSTDOUT
INTOReports_*_*\Report*.log
©2004MicrosoftCorporation.Allrightsreserved.
Page 486
W3COutputFormatParametersTheW3Coutputformatsupportsthefollowingparameters:
rtp
Values: numberofrows
Default: 10
Description: Rowstoprintbeforepausing.
Details: WhenwritingtoSTDOUT,theW3Coutputformatdisplaysoutputrecordsinbatchesmadeupofanumberofrowsequaltothevaluespecifiedforthisparameter.Onceabatchofrowshasbeendisplayed,theW3Coutputformatpromptstheusertopressakeytodisplaythenextbatchofrows.Specifying"-1"forthisparameterdisablesbatchingaltogether.
Example: -rtp:-1oDQuotes
Values: ON|OFF
Default: OFF
Description: Enclosestringvaluesindouble-quotecharacters.
Details: Whenthisparameterissetto"ON",theW3Coutputformatwritesstringvalueswithdouble-quote(")charactersaroundthem.
Example: -oDQuotes:ONoDirTime
Values: anystring
Page 487
Default: notspecified
Description: Contentofthe"#Date"directiveheader.
Details: TheW3Coutputformatusesthevaluespecifiedforthisparameterasthecontentofthe"#Date"directivewrittentotheheaderoftheoutputfile.Whenavalueisnotspecified,theW3Coutputformatusesthecurrentdateandtime.
Example: -oDirTime:"1973-05-2803:02:42"encodeDelim
Values: ON|OFF
Default: OFF
Description: Substitutespacecharacterswithinfieldvalueswithpluscharacters.
Details: Whenthisparameterissetto"ON",theW3Coutputformatsubstitutesspacecharactersfoundinstringvalueswithplus(+)characters,inordertogenerateW3Coutputthatisformattedcorrectly.Whenthisparameterissetto"OFF",spacecharacterswithinfieldvaluesarepreserved,potentiallygeneratinginvalidW3Coutput.
Example: -encodeDelim:ONoCodepage
Values: codepageID(number)
Default: 0
Description: Codepageoftheoutputtext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245
Page 488
fileMode
Values: 0|1|2
Default: 1
Description: Actiontoperformwhenanoutputfilealreadyexists.
Details: ThisparametercontrolsthebehavioroftheW3Coutputformatwhentheinto-entityspecifiesdirectlyorindirectlythroughthe"multiplex"featurethenameofafilethatalreadyexists.Thepossiblevaluesforthisparameterare:0:existingfilesareappendedwiththeoutput;1:existingfilesareoverwrittenwiththeoutput;2:existingfilesareleftintact,discardingtheoutput.
Example: -fileMode:0
©2004MicrosoftCorporation.Allrightsreserved.
Page 489
W3COutputFormatExamplesEventLogReportCreateaW3CfilewithinformationfromtheSystemeventlog:
LogParser"SELECTTO_DATE(TimeGenerated)ASdate,TO_TIME(TimeGenerated)AStime,SourceNameASs-source,EventIDASs-event-id,EventCategoryASs-event-categoryINTOreport.logFROMSystem"-i:EVT-o:W3C-encodeDelim:ON
©2004MicrosoftCorporation.Allrightsreserved.
Page 490
XMLOutputFormatTheXMLoutputformatwritesoutputrecordsasXMLdocumentnodes.
UserscanchoosebetweenfourdifferentstructuresfortheoutputXMLdocument.Differentstructuresformattheoutputrecordfieldsindifferentways,givinguserstheabilitytofine-tunethegeneratedXMLfortheirapplications.
ThefollowingexamplecommandgeneratesanXMLdocumentcontainingfieldsfromtheSystemeventlog:
LogParser"SELECTTimeGenerated,SourceName,EventID,MessageINTOEvents.xmlFROMSystem"TheoutputXMLwilllooklikethefollowingexample:
<?xmlversion="1.0"encoding="ISO-10646-UCS-2"standalone="yes"?><!DOCTYPEROOT[<!ATTLISTROOTDATE_CREATEDCDATA#REQUIRED><!ATTLISTROOTCREATED_BYCDATA#REQUIRED><!ELEMENTTimeGenerated(#PCDATA)><!ELEMENTSourceName(#PCDATA)><!ELEMENTEventID(#PCDATA)><!ELEMENTMessage(#PCDATA)><!ELEMENTROW(TimeGenerated,SourceName,EventID,Message)><!ELEMENTROOT(ROW*)>]><ROOTDATE_CREATED="2004-11-0816:26:54"CREATED_BY="MicrosoftLogParserV2.2"><ROW><TimeGenerated>2004-04-1818:48:04</TimeGenerated><SourceName>EventLog</SourceName>
DocumentStructuresInto-EntitySyntaxParametersExamples
Seealso:XMLInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 491
<EventID>6009</EventID><Message>Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.</Message></ROW><ROW><TimeGenerated>2004-04-1818:48:04</TimeGenerated><SourceName>EventLog</SourceName><EventID>6005</EventID><Message>TheEventlogservicewasstarted.</Message></ROW><ROW><TimeGenerated>2004-04-1818:48:27</TimeGenerated><SourceName>ServiceControlManager</SourceName><EventID>7035</EventID><Message>TheNetworkConnectionsservicewassuccessfullysentastartcontrol.</Message></ROW></ROOT>
Page 492
XMLOutputFormatDocumentStructuresTheXMLoutputformatgeneratesXMLdocumentsthatcanbestructuredinfourdifferentways,dependingonthevaluespecifiedforthestructureparameter.
Structure1Whenthe"structure"parameterissetto"1",theXMLoutputformatcreatesanodenamed"ROW"foreachoutputrecord.Thisnodeinturncontainsnodesforeachfieldintheoutputrecord,namedafterthefieldnamesandwithnodevaluescontainingthefieldvalues.
ThefollowingexampleshowsanXMLdocumentcreatedwithstructure"1":
<?xmlversion="1.0"encoding="ISO-10646-UCS-2"standalone="yes"?><!DOCTYPEROOT[<!ATTLISTROOTDATE_CREATEDCDATA#REQUIRED><!ATTLISTROOTCREATED_BYCDATA#REQUIRED><!ELEMENTTimeGenerated(#PCDATA)><!ELEMENTSourceName(#PCDATA)><!ELEMENTEventID(#PCDATA)><!ELEMENTMessage(#PCDATA)><!ELEMENTROW(TimeGenerated,SourceName,EventID,Message)><!ELEMENTROOT(ROW*)>]><ROOTDATE_CREATED="2004-11-0817:36:44"CREATED_BY="MicrosoftLogParserV2.2"><ROW><TimeGenerated>2004-04-1818:48:04</TimeGenerated><SourceName>
Structure2Settingthe"structure"parameterto"2"causestheXMLoutputformattogenerateXMLdocumentsthatareformattedaccordingtostructure"1",andinwhichfieldnodeshavea"TYPE"attributethatspecifiesthedatatypeofthecorrespondingoutputrecordfield.
ThefollowingexampleshowsanXMLdocumentcreatedwithstructure"2":
<?xmlversion="1.0"encoding="ISO-10646-UCS-2"standalone="yes"?><!DOCTYPEROOT[<!ATTLISTROOTDATE_CREATEDCDATA#REQUIRED><!ATTLISTROOTCREATED_BYCDATA#REQUIRED><!ELEMENTTimeGenerated(#PCDATA)><!ATTLISTTimeGeneratedTYPECDATA#REQUIRED><!ELEMENTSourceName(#PCDATA)>
Structure3Whenthe"structure"parameterissetto"3",theXMLoutputformatcreatesanodenamed"ROW"foreachoutputrecord.Thisnodeinturncontainsnodesnamed"FIELD"foreachfieldinthe
Page 493
EventLog</SourceName><EventID>6009</EventID><Message>Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.</Message></ROW><ROW><TimeGenerated>2004-04-1818:48:04</TimeGenerated><SourceName>EventLog</SourceName><EventID>6005</EventID><Message>TheEventlogservicewasstarted.</Message></ROW></ROOT>
<!ATTLISTSourceNameTYPECDATA#REQUIRED><!ELEMENTEventID(#PCDATA)><!ATTLISTEventIDTYPECDATA#REQUIRED><!ELEMENTMessage(#PCDATA)><!ATTLISTMessageTYPECDATA#REQUIRED><!ELEMENTROW(TimeGenerated,SourceName,EventID,Message)><!ELEMENTROOT(ROW*)>]><ROOTDATE_CREATED="2004-11-0817:30:25"CREATED_BY="MicrosoftLogParserV2.2"><ROW><TimeGeneratedTYPE="TIMESTAMP">2004-04-1818:48:04</TimeGenerated><SourceNameTYPE="STRING">EventLog</SourceName><EventIDTYPE="INTEGER">6009</EventID><MessageTYPE="STRING">Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.</Message></ROW><ROW><TimeGeneratedTYPE="TIMESTAMP">2004-04-1818:48:04</TimeGenerated><SourceNameTYPE="STRING">EventLog</SourceName><EventIDTYPE="INTEGER">6005</EventID><MessageTYPE="STRING">TheEventlogservicewasstarted.</Message>
outputrecord;each"FIELD"nodehasanodevalueequaltothefieldvalue,anda"NAME"attributethatspecifiesthefieldname.
ThefollowingexampleshowsanXMLdocumentcreatedwithstructure"3":
<?xmlversion="1.0"encoding="ISO-10646-UCS-2"standalone="yes"?><!DOCTYPEROOT[<!ATTLISTROOTDATE_CREATEDCDATA#REQUIRED><!ATTLISTROOTCREATED_BYCDATA#REQUIRED><!ELEMENTFIELD(#PCDATA)><!ATTLISTFIELDNAMECDATA#REQUIRED><!ELEMENTROW(FIELD,FIELD,FIELD,FIELD)><!ELEMENTROOT(ROW*)>]><ROOTDATE_CREATED="2004-11-0817:32:41"CREATED_BY="MicrosoftLogParserV2.2"><ROW><FIELDNAME="TimeGenerated">2004-04-1818:48:04</FIELD><FIELDNAME="SourceName">EventLog</FIELD><FIELDNAME="EventID">6009</FIELD><FIELDNAME="Message">Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.</FIELD></ROW><ROW><FIELDNAME="TimeGenerated">2004-04-1818:48:04</FIELD><FIELDNAME="SourceName">EventLog
Structure4Settingthe"structure"parameterto"4"causestheXMLoutputformattogenerateXMLdocumentsthatareformattedaccordingtostructure"3",andinwhich"FIELD"nodeshaveanadditional"TYPE"attributethatspecifiesthedatatypeofthecorrespondingoutputrecordfield.
ThefollowingexampleshowsanXMLdocumentcreatedwithstructure"4":
<?xmlversion="1.0"encoding="ISO-10646-UCS-2"standalone="yes"?><!DOCTYPEROOT[<!ATTLISTROOTDATE_CREATEDCDATA#REQUIRED><!ATTLISTROOTCREATED_BYCDATA#REQUIRED><!ELEMENTFIELD(#PCDATA)><!ATTLISTFIELDNAMECDATA#REQUIRED><!ATTLISTFIELDTYPECDATA#REQUIRED><!ELEMENTROW(FIELD,FIELD,FIELD,FIELD)><!ELEMENTROOT(ROW*)>]><ROOTDATE_CREATED="2004-11-0817:35:04"CREATED_BY="MicrosoftLogParserV2.2"><ROW><FIELDNAME="TimeGenerated"TYPE="TIMESTAMP">2004-04-1818:48:04</FIELD><FIELDNAME="SourceName"TYPE="STRING">EventLog</FIELD><FIELDNAME="EventID"TYPE="INTEGER">
©2004MicrosoftCorporation.Allrightsreserved.
Page 494
</ROW></ROOT></FIELD><FIELDNAME="EventID">6005</FIELD><FIELDNAME="Message">TheEventlogservicewasstarted.</FIELD></ROW></ROOT>
6009</FIELD><FIELDNAME="Message"TYPE="STRING">Microsoft(R)Windows(R)5.01.2600ServicePack1UniprocessorFree.</FIELD></ROW><ROW><FIELDNAME="TimeGenerated"TYPE="TIMESTAMP">2004-04-1818:48:04</FIELD><FIELDNAME="SourceName"TYPE="STRING">EventLog</FIELD><FIELDNAME="EventID"TYPE="INTEGER">6005</FIELD><FIELDNAME="Message"TYPE="STRING">TheEventlogservicewasstarted.</FIELD></ROW></ROOT>
Page 495
XMLOutputFormatInto-EntitySyntax<into-entity> ::= <filename>|
STDOUT
The<into-entity>specifiedinqueriesusingtheXMLoutputformatiseither:
Afilename;The"STDOUT"keyword,whichspecifiesthattheoutputdataistobewrittentotheoutputstream(theconsoleoutput).
Thedefaultinto-entityforqueriesthatdonotspecifyanINTOclauseis"STDOUT".
TheXMLoutputformatsupportsthemultiplexfeature,whichcanbeenabledbyspecifying'*'wildcardsintheinto-entityfilename.Thisfeatureallowsoutputrecordstobewrittentodifferentfilesdependingonthevaluesoftheirfields.Formoreinformationonthemultiplexfeature,seeMultiplexingOutputRecords.
Examples:
INTOreport.xml
INTO\\COMPUTER01\Reports\report.xml
INTOSTDOUT
INTOReports_*_*\Report*.xml
©2004MicrosoftCorporation.Allrightsreserved.
Page 496
XMLOutputFormatParametersTheXMLoutputformatsupportsthefollowingparameters:
structure
Values: 1|2|3|4
Default: 1
Description: Structureoftheoutputdocument.
Details: Foradescriptionofthedifferentstructuresavailable,seeDocumentStructures.
Example: -structure:4rootName
Values: string
Default: ROOT
Description: Nameofthedocumentrootnode.
Details: Thisparameterallowsuserstocustomizethenameofthesinglerootnodethatcontainsalltheothernodesintheoutputdocument.
Example: -rootName:REPORTrowName
Values: string
Default: ROW
Description: Nameofthenodecontainingtheoutputrecordfields.
Details: Thisparameterallowsuserstocustomizethenameofthenodethatisgeneratedforeachoutputrecord.
Page 497
Example: -rowName:ENTRYfieldName
Values: string
Default: FIELD
Description: Nameofthenodecontainingtheoutputrecordfieldvalues.
Details: Thisparameterallowsuserstocustomizethenameofthenodethatisgeneratedforeachoutputrecordfieldwhenthe"structure"parameterissetto"3"or"4".
Example: -fieldName:DATAxslLink
Values: pathtoXSLdocument
Default: notspecified
Description: XSLdocumenttobereferencedbytheoutputXMLdocument.
Details: SpecifyingavalueforthisparametercausestheXMLoutputformattoplacealinktothespecifiedXSLstylesheetintheheaderoftheoutputXMLdocument.XSL-enabledXMLbrowserswillfollowthespecifiedlinkandformattheoutputXMLdocumentaccordingly.Thelinkplacedinthedocumentheaderisformattedasfollows:
<?xml-stylesheettype="text/xsl"href="C:\XSL\MyXSL.xsl"?>
Example: -xslLink:C:\XSL\MyXSL.xslschemaType
Values: 0|1
Page 498
Default: 1
Description: Typeofinlineschema.
Details: Whenthisparameterissetto"1",theoutputXMLdocumentcontainsaninlineDTDschema.Settingthisparameterto"0"preventstheXMLoutputformatfromgeneratinganinlineschema.
Example: -schemaType:0compact
Values: ON|OFF
Default: OFF
Description: Suppressindentationsandextralinesinoutput.
Details: Whenthisparameterissetto"OFF",theXMLoutputformatgeneratesXMLdocumentsthatareoptimizedforhumanreadability,indentingnodesaccordingtotheirdepth,andwritingnodesonmultiplelines.Settingthisparameterto"ON"causestheXMLoutputformattowriteeach"ROW"nodeonasinglelinewithoutindentation.
Example: -compact:ONnoEmptyField
Values: ON|OFF
Default: OFF
Description: AvoidwritingemptynodesforNULLfieldvalues.
Details: Whenthisparameterissetto"OFF",outputrecordfieldshavingNULLvaluesarerenderedasemptynodes.Settingthisparameterto"ON"preventstheXMLoutputformatfromgeneratinganodewhenthecorresponding
Page 499
outputrecordfieldhasaNULLvalue.
Example: -noEmptyField:ONstandAlone
Values: ON|OFF
Default: ON
Description: Createawell-formed,stand-aloneXMLdocument.
Details: Whenthisparameterissetto"ON",theXMLoutputformatgenerateswell-formedXMLdocumentshavinganXMLheaderandasingledocumentrootnode.Whenthisparameterissetto"OFF",theXMLoutputformatgeneratesXMLtextthatonlycontainstheoutputrecordnodes,withnoXMLheaderandnodocumentrootnode.
Example: -standAlone:OFFoCodepage
Values: codepageID(number)
Default: 0
Description: Codepageoftheoutputtext.
Details: 0isthesystemcodepage,-1isUNICODE.
Example: -oCodepage:1245fileMode
Values: 0|1|2
Default: 1
Description: Actiontoperformwhenanoutputfilealreadyexists.
Page 500
Details: ThisparametercontrolsthebehavioroftheXMLoutputformatwhentheinto-entityspecifiesdirectlyorindirectlythroughthe"multiplex"featurethenameofafilethatalreadyexists.Thepossiblevaluesforthisparameterare:0:existingfilesareappendedwiththeoutput;1:existingfilesareoverwrittenwiththeoutput;2:existingfilesareleftintact,discardingtheoutput.
Example: -fileMode:0
©2004MicrosoftCorporation.Allrightsreserved.
Page 501
XMLOutputFormatExamplesAccountLogonsCreateanXMLdocumentcontaininglogonaccountnamesanddatesfromtheSecurityEventLogmessages:
LogParser"SELECTTimeGeneratedASLogonDate,EXTRACT_TOKEN(Strings,0,'|')ASAccountINTOReport.xmlFROMSecurityWHEREEventIDNOTIN(541;542;543)ANDEventType=8ANDEventCategory=2"
©2004MicrosoftCorporation.Allrightsreserved.
Page 502
Command-LineOperationTheLogParsercommand-lineexecutableisasingle,standalonebinaryfile("LogParser.exe")thatcanbeusedfromtheWindowscommand-lineshelltoexecutequeriesandperformotherLogParsertasks.Theexecutablebinarydoesnotrequireanyinstallation;oncecopiedtoacomputer,itisreadytouse.
Tip:IfyouwanttorunLogParser.exefromanydirectorywithouthavingtospecifytheabsoluteorrelativepath,youcanaddtheLogParserdirectorylocationtothe"PATH"environmentvariable.
TheLogParsercommand-lineexecutableworksoncommandssuppliedbytheuser.Commandsarecombinationsofswitches,orarguments,thatspecifyparametersforthetaskthatneedstobeexecuted.TheswitchesusedwiththeLogParsercommand-lineexecutablemustbeenteredwithadashcharacter(-)followedbytheswitchname,asinthefollowingexample:
C:\>LogParser-h
Mostswitchesrequireauser-suppliedvalue;inthesecases,theswitchnamemustbefollowedbyacoloncharacter(:)andbytheuser-suppliedvaluewithnointerveningspaces,asinthefollowingexample:
C:\>LogParser-iCodepage:931
Iftheuser-suppliedvaluecontainsspaces,thevaluecanbesurroundbydouble-quotecharacters("),asinthefollowingexample:
C:\>LogParser-chartTitle:"Top20Pages"
Dependingontheswitchesusedinacommand,theLogParsercommand-lineexecutablecanbeusedinfourdifferentmodesofoperation:
QueryExecutionMode:thisisthedefaultmodeofoperation;inthis
Page 503
mode,LogParserisusedtoexecutequeriesreadinginputrecordsfromaninputformatandwritingoutputrecordstoanoutputformat.ConversionMode:inthismode,activatedbythe"-c"switch,LogParserisusedtoexecutebuilt-inqueriesthatconvertlogfilesbetweensupportedlogfileformats.DefaultsOverrideMode:inthismode,activatedbythe"-saveDefaults"switch,userscanoverridethedefaultbehaviorofLogParserbyspecifyingcustomdefaultvaluesfortheexecutionparameters.HelpMode:inthismode,activatedbythe"-h"switch,thecommand-lineexecutablecanbeusedtodisplaytotheconsolewindowa"quickreference"helponselectedtopics,suchasinformationoninputandoutputformats,syntaxoffunctions,andsyntaxoftheLogParserSQL-Likequerylanguage.
Seealso:GlobalSwitchesReferenceCommandsandQueries
©2004MicrosoftCorporation.Allrightsreserved.
Page 504
QueryExecutionMode"QueryExecutionMode"isthedefaultoperationalmodeoftheLogParsercommand-lineexecutable.Inthismode,LogParserisusedtoexecutequeriesreadinginputrecordsfromaninputformatandwritingoutputrecordstoanoutputformat.
Thegeneralsyntaxofcommandsinqueryexecutionmodeis:
LogParser [-i:<input_format>][<input_format_options>][-o:<output_format>][<output_format_options>]<SQLquery>|file:<query_filename>[?param1=value1+...][<global_switches>][-queryInfo]
-i:<input_format>
Specifiestheinputformatforthequery.The"-i:"switchisfollowedbythenameoftheselectedinputformat,asinthefollowingexample:
C:\>LogParser-i:IISW3C"SELECT*FROMextend1.log"
Whenaninputformatisnotspecified,LogParserwillattempttoselectautomaticallyaninputformatuponinspectionofthe<from-entity>intheFROMclause.Forexample,"System"suggeststheuseoftheEVTInputFormat,while"ex040302.log"suggeststheuseoftheIISW3CInputFormat.Ifthe<from-entity>doesnotsuggestaspecificinputformat,theTextLineInputFormatwillbeselectedbydefault.
<input_format_options>
Specifyvaluesforinputformatparameters.Theseareenteredasswitcheswithnamesmatchingtheinputformat'sparameternames,followedbyacolonandbythevaluefor
Page 505
theparameter,asinthefollowingexamples:
C:\>LogParser-i:IISW3C-iCodepage:932-iCheckpoint:MyCheckpoint.lpc"SELECT*FROMextend1.log"C:\>LogParser-i:EVT-binaryFormat:ASC"SELECT*FROMSystem"
Parametervaluescontainingspacesmustbeenclosedwithindouble-quotecharacters("),asinthefollowingexample:
C:\>LogParser-i:EVT-stringsSep:"MYSEPARATOR""SELECT*FROMSystem"Formoreinformationoninputformatparameters,refertotheInputFormatReference.
-o:<output_format>
Specifiestheoutputformatforthequery.The"-o:"switchisfollowedbythenameoftheselectedoutputformat,asinthefollowingexample:
C:\>LogParser-o:CSV"SELECT*FROMSystem"
Whenanoutputformatisnotspecified,LogParserwillattempttoselectautomaticallyanoutputformatuponinspectionofthe<into-entity>intheINTOclause.Forexample,"chart.gif"suggeststheuseoftheCHARTOutputFormat,while"MyFile.csv"suggeststheuseoftheCSVOutputFormat.Ifthe<into-entity>doesnotsuggestaspecificoutputformat,orthequerydoesnotspecifyanINTOclause,theNATOutputFormatwillbeselectedbydefault.
<output_format_options>
Specifyvaluesforoutputformatparameters.Theseareenteredasswitcheswithnamesmatchingtheoutputformat'sparameternames,followedbyacolonandbythevaluefor
Page 506
theparameter,asinthefollowingexamples:
C:\>LogParser-o:NAT-rtp:-1-fileMode:1"SELECT*FROMSystem"
C:\>LogParser-o:CSV-tabs:ON"SELECT*FROMSystem"
Parametervaluescontainingspacesmustbeenclosedwithindouble-quotecharacters("),asinthefollowingexample:
C:\>LogParser-o:CHART-chartTitle:"PageHitsperDay""SELECTdate,COUNT(*)FROMextend1.logGROUPBYdate"Formoreinformationonoutputformatparameters,refertotheOutputFormatReference.
<SQLquery>
SpecifiesthetextoftheLogParserSQL-Likequery.Sinceaqueryalwayscontainsspaces,thetextofthequerymustbeenclosedwithindouble-quotecharacters("),asinthefollowingexample:
C:\>LogParser"SELECT*FROMSystem"
Alternatively,aquerycanbespecifiedthroughatextfilewiththe"file:"switch,asshowninthenextsection.Commandscontainingbothaquerytextargumentanda"file:"switchareconsideredillegalandreturnanerror.
file:<query_filename>[?param1=value1+...]
SpecifiesthenameofatextfilecontainingaLogParserSQL-Likequery.ThetextfilespecifiedmustcontainavalidqueryintheLogParserSQL-Likelanguage.Multiplespaces,comments,andnew-linecharactersinthetextfileareignored,allowingthequerytexttobeformattedasdesiredforreadability.
Page 507
Thefollowingexampleshowsanexamplecontentofaquerytextfile:
SELECTTimeGenerated,EXTRACT_TOKEN(ResolvedSid,1,'\\')ASUsername--onlythe'username'portion/*Wewanttoretrievethefullusername*/USINGRESOLVE_SID(Sid)ASResolvedSidFROMSecurity
Thefollowingexampleshowshowthequeryisexecuted,assumingthatthequerytexthasbeensavedtoafilenamed"MyQuery.sql":
C:\>LogParser-i:EVTfile:Myquery.sql
Querytextfilescanincludeparameters,whicharesubstitutedatruntimewithuser-suppliedtextorenvironmentvariablevalues.Parametersareuser-definednamesinthequerytextenclosedwithinpercentcharacters(%),suchas"%MyParameter%".WhenissuingaLogParsercommandtoexecuteaquerytextfilecontainingparameters,userscanspecifythevaluesoftheparametersbyappendingthequestion-markcharacter(?)tothequeryfilename,followedbyalistofpairsintheformof"parameter_name=parameter_value",separatedbythepluscharacter(+).Forexample,thefollowingquerycontainstwoparameters:
SELECTEventIDFROM%InputEventLog%WHERESourceName='%InputSourceName%'Thefollowingexamplecommandexecutesthequerysubstitutinguser-suppliedvaluesfortheparameters:
C:\>LogParser-i:EVTfile:Myquery.sql?InputEventLog=System+InputSourceName=EventLogIfaparameternameorvaluecontainsspaces,thenameorvaluemustbeenclosedwithindouble-quotecharacters("),asinthefollowingexample:
C:\>LogParser-i:EVTfile:Myquery.sql?InputEventLog=System+InputSourceName="ServiceControlManager"Ifthevalueofaquerytextfileparameterisnotsuppliedbytheuser,LogParserwillsearchfortheparameternameinthecurrentenvironmentvariableset.Ifanenvironmentvariableisfound
Page 508
matchingtheparametername,itsvaluewillbesubstitutedfortheparameter;otherwise,theparameternameisleftas-isinthequerytext.
Thetextofthequerycanalsobespecifieddirectlyasacommand-lineargument,asshownintheprevioussection.Commandscontainingbothaquerytextargumentanda"file:"switchareconsideredillegalandreturnanerror.
<global_switches>
Globalswitchescontroloverallbehaviorsofthecommand,suchaserrorhandlingandcommandstatisticsverbosity.Formoreinformationonglobalswitches,refertotheGlobalSwitchesReference.
-queryInfo
Displaysdiagnosticinformationaboutthecommand.When"-queryInfo"isspecified,thecommandisnotexecuted,andthefollowingdiagnosticinformationisdisplayedtotheconsolewindow:Thetextoftheprovidedquery,afterbeingparsedandinterpretedbytheLogParserSQL-Likeenginecore;Namesoftheinputandoutputformatsselected;Structureofthequeryoutputrecords,includingfieldnamesandfielddatatypes.
Thisinformationcanbeusedtotroubleshootavarietyofproblems,includingunexpectedqueryexecutionresults,andqueryparametersubtitution.
Thefollowingexampleusesthe"-queryInfo"switchtodisplaydiagnosticinformationaboutthespecifiedcommand:
C:\>LogParser"SELECTTO_UTCTIME(TimeGenerated)ASUTCTimeGenerated,SourceNameFROMSystemWHEREEventID>20"-queryIn
Page 509
foTheoutputofthiscommandis:
Query:SELECTTO_UTCTIME([TimeGenerated])ASUTCTimeGenerated,[SourceName]FROMSystemWHERE[EventID]>ANY(20)
Formatsselected:Inputformat:EVT(WindowsEventLog)Outputformat:NAT(NativeFormat)
Queryfields:UTCTimeGenerated(T)SourceName(S)
Seealso:Command-LineOperationReferenceGlobalSwitchesReferenceCommandsandQueries
©2004MicrosoftCorporation.Allrightsreserved.
Page 510
ConversionModeIn"ConversionMode",LogParserisusedtoexecutebuilt-inqueriestoconvertlogfilesbetweenthefollowingformats:
BINtoW3CIIStoW3CBINtoIISIISW3CtoIIS
Conversionmodeisactivatedbythe"-c"switch.
Thegeneralsyntaxofcommandsinconversionmodeis:
LogParser -c-i:<input_format>-o:<output_format><from_entity><into_entity>[<where_clause>][<input_format_options>][<output_format_options>][-multiSite[:ON|OFF]][<global_switches>][-queryInfo]
Formoreinformationonlogfileformatconversions,refertoConvertingFileFormats.
-i:<input_format>
Specifiestheinputformatfortheconversion.The"-i:"switchisfollowedbythenameoftheselectedinputformat,asinthefollowingexample:
C:\>LogParser-c-i:IISW3C-o:IISextend1.loginetsv1.log
DifferentlythanQueryExecutionMode,theinputformatspecificationisamandatoryargumentforcommandsinconversionmode.Thespecifiedinputformatnamemustbeoneoftheinputformatsinthetableaboveforwhichaconversionissupported.
Page 511
-o:<output_format>
Specifiestheoutputformatfortheconversion.The"-o:"switchisfollowedbythenameoftheselectedoutputformat,asinthefollowingexample:
C:\>LogParser-c-i:IISW3C-o:IISextend1.loginetsv1.log
DifferentlythanQueryExecutionMode,theoutputformatspecificationisamandatoryargumentforcommandsinconversionmode.Thespecifiedoutputformatnamemustbeoneoftheoutputformatsinthetableaboveforwhichaconversionissupported.
<from_entity>
Specifiestheinputfile(s)tobeconverted.Thisargumentmustconformtothe<from_entity>syntaxoftheselectedinputformat.Forinformationonthesyntaxandinterpretationofthe<from_entity>valuessupportedbyeachinputformat,refertotheInputFormatsReference.Iftheargumentcontainsspaces,itmustbeenclosedwithindouble-quotecharacters("),asinthefollowingexample:
C:\>LogParser-c-i:IISW3C-o:IIS"extend1.log;,<1>"inetsv1.log
<into_entity>
Specifiestheconversiontargetoutputfile.Thisargumentmustconformtothe<into_entity>syntaxoftheselectedoutputformat.Forinformationonthesyntaxandinterpretationofthe<into_entity>valuessupportedbyeachoutputformat,refertotheOutputFormatsReference.Iftheargumentcontainsspaces,itmustbeenclosedwithindouble-quotecharacters("),asinthefollowingexample:
Page 512
C:\>LogParser-c-i:IISW3C-o:IISextend1.log"C:\MyFolder\inetsv1.log"
<where_clause>
SpecifiesanoptionalWHEREclausetoperformfilteringontheinputformatentries.
ThefollowingexampleconvertsonlytheIISW3Clogfileentriesthatrepresentsuccessfulrequests:
C:\>LogParser-c-i:IISW3C-o:IISextend1.loginetsv1.log"WHEREsc-statusBETWEEN200AND399"
<input_format_options>
Specifyvaluesforinputformatparameters.Theseareenteredasswitcheswithnamesmatchingtheinputformat'sparameternames,followedbyacolonandbythevaluefortheparameter,asinthefollowingexample:
C:\>LogParser-c-i:IISW3C-o:IISextend1.loginetsv1.log-iCodepage:932Formoreinformationoninputformatparameters,refertotheInputFormatReference.
<output_format_options>
Specifyvaluesforoutputformatparameters.Theseareenteredasswitcheswithnamesmatchingtheoutputformat'sparameternames,followedbyacolonandbythevaluefortheparameter,asinthefollowingexample:
C:\>LogParser-c-i:IISW3C-o:IISextend1.loginetsv1.log-fileMode:1
Formoreinformationonoutputformatparameters,refertotheOutputFormatReference.
Page 513
-multiSite[:ON|OFF]
SpecifiesthatanIISCentralBinarylogfileistobeconvertedtomultiplelogfiles,oneforeachIISVirtualSite.ThisoptionisonlyavailablewhentheconversionisfromtheBINinputformat,andwhenthespecified<into-entity>containsone"*"wildcardenablingtheMultiplexOuputMode.ThewildcardwillbereplacedwiththenumericidentifiersoftheIISVirtualSitesthatservedtherequestsloggedinthecentralbinarylogfile.
ThefollowingexampleconvertsasingleIISCentralBinarylogfiletodifferentW3Clogfiles,oneforeachIISVirtualSitethatservedarequestloggedinthecentralbinarylog:
C:\>LogParser-c-i:BIN-o:W3Craw1.iblC:\NewLogs\W3SVC*\extend1.log-multiSite:ON
<global_switches>
Globalswitchescontroloverallbehaviorsofthecommand,suchaserrorhandlingandcommandstatisticsverbosity.Formoreinformationonglobalswitches,refertotheGlobalSwitchesReference.
-queryInfo
Displaysdiagnosticinformationabouttheconversioncommand.When"-queryInfo"isspecified,thecommandisnotexecuted,andthefollowingdiagnosticinformationisdisplayedtotheconsolewindow:Thetextoftheconversionquery,afterbeingparsedandinterpretedbytheLogParserSQL-Likeenginecore;Namesoftheinputandoutputformatsselected;Structureofthequeryoutputrecords,includingfieldnamesandfielddatatypes.
Thisinformationcanbeusedtotroubleshootunexpectedconversion
Page 514
results.
Thefollowingexampleusesthe"-queryInfo"switchtodisplaydiagnosticinformationaboutthespecifiedconversioncommand:
C:\>LogParser-c-i:IISW3C-o:IISextend1.loginetsv1.log-queryInfo
Theoutputofthiscommandis:
Query:SELECT[c-ip],[cs-username],TO_DATE(TO_LOCALTIME(TO_TIMESTAMP([date],[time]))),TO_TIME(TO_LOCALTIME(TO_TIMESTAMP([date],[time]))),[s-sitename],[s-computername],[s-ip],[time-taken],[sc-bytes],[cs-bytes],[sc-status],[sc-win32-status],[cs-method],[cs-uri-stem],[cs-uri-query]INTOinetsv1.logFROMextend1.log
Formatsselected:Inputformat:IISW3C(IISW3CExtendedLogFormat)Outputformat:IIS(IISLogFormat)
Queryfields:c-ip(S)cs-username(S)TO_DATE(TO_LOCALTIME(TO_TIMESTAMP(date,time)))(T)TO_TIME(TO_LOCALTIME(TO_TIMESTAMP(date,time)))(T)s-sitename(S)s-computername(S)s-ip(S)time-taken(I)sc-bytes(I)cs-bytes(I)sc-status(I)sc-win32-status(I)
Seealso:Command-LineOperationReferenceGlobalSwitchesReferenceConvertingFileFormats
©2004MicrosoftCorporation.Allrightsreserved.
Page 515
cs-method(S)cs-uri-stem(S)cs-uri-query(S)
Page 516
DefaultsOverrideModeIn"DefaultsOverrideMode"userscanspecifynewdefaultvaluestoreplacethefactorydefaultvaluesofglobalswitches,inputformatparameters,andoutputformatparameters.Valuesareoverriddenonthecomputeronwhichthe"saveDefaults"commandisexecuted,andthenewvaluesareineffectuntiltheyareoverriddenbyanewoverridecommand,oruntilthefactorydefaultsarerestoredwiththe"restoreDefaults"command.ThenewdefaultvaluesalsoaffecttheLogParserscriptableCOMcomponents.
Note:Forsecurityreasons,propertiesthatareusedtospecifyconfidentialorsensitiveinformation,suchasusernamesandpasswords,cannotbeoverridenbythe"DefaultsOverrideMode"feature.
Thegeneralsyntaxofcommandsindefaultsoverridemodeis:
LogParser -saveDefaults[-i:<input_format><input_format_options>][-o:<output_format><output_format_options>][<global_switches>]
LogParser -restoreDefaults
-i:<input_format><input_format_options>
Specifiestheinputformatwhoseparameters'defaultvaluesaretobeoverridden,andthenewdefaultvaluesfortheselectedparameters.The"-i:"switchisfollowedbythenameoftheselectedinputformat,andthenewdefaultvaluesareenteredasswitcheswithnamesmatchingtheinputformat'sparameternames,followedbyacolonandbythevalueforthenewdefault,asinthefollowingexample:
C:\>LogParser-saveDefaults-i:EVT-binaryFormat:ASC-resolveSIDs:ONFormoreinformationoninputformatparameters,refertotheInput
Page 517
FormatReference.
-o:<output_format><output_format_options>
Specifiestheoutputformatwhoseparameters'defaultvaluesaretobeoverridden,andthenewdefaultvaluesfortheselectedparameters.The"-o:"switchisfollowedbythenameoftheselectedoutputformat,andthenewdefaultvaluesareenteredasswitcheswithnamesmatchingtheoutputformat'sparameternames,followedbyacolonandbythevalueforthenewdefault,asinthefollowingexample:
C:\>LogParser-saveDefaults-o:NAT-rtp:-1
Formoreinformationonoutputformatparameters,refertotheOutputFormatReference.
<global_switches>
Specifynewdefaultvaluesforglobalswitches.
Thefollowingexamplecommandoverridesthedefaultvalueofthe"-stats;"globalswitch,togetherwiththe"rtp"parameteroftheNAToutputformat:
C:\>LogParser-saveDefaults-o:NAT-rtp:-1-stats:OFF
Formoreinformationonglobalswitches,refertotheGlobalSwitchesReference.
-restoreDefaults
Restoresthefactorydefaultsofglobalswitches,inputformatparameters,andoutputformatparameters.Whenspecified,the"-restoreDefaults"switchmustbetheonly
Page 518
argumentofthecommand,asinthefollowingexample:
C:\>LogParser-restoreDefaults
Seealso:Command-LineOperationReferenceGlobalSwitchesReference
©2004MicrosoftCorporation.Allrightsreserved.
Page 519
HelpMode"HelpMode",activatedwiththe"-h"switch,offersusersthepossibilitytoaccess"quickreference"helptopicsdisplayedtotheconsoleoutput.Thehelptopics,selectablethroughadditionalcommand-linearguments,are:
GeneralUsageQueryLanguageSyntaxFunctionsSyntaxInputandOutputFormatsConversionModeQueryExamples
GeneralUsageHelp
TheLogParsercommand-lineexecutableusagehelpisaccessedwiththefollowingcommand:
C:\>LogParser-h
QueryLanguageSyntaxHelp
TheLogParserSQL-Likelanguagesyntaxhelpisaccessedwiththefollowingcommand:
C:\>LogParser-hGRAMMAR
FunctionsSyntaxHelp
TheLogParserSQL-Likelanguagefunctionssyntaxhelpisaccessed
Page 520
withcommandshavingthefollowingsyntax:
LogParser -hFUNC[TIONS][<function>]
TypingthefollowingcommandwilldisplaythesyntaxforallthefunctionsavailableintheLogParserSQL-Likelanguage:
C:\>LogParser-hFUNCTIONS
Typingafunctionnamefollowingthehelpcommanddisplaysthesyntaxoftheselectedfunctiononly:
C:\>LogParser-hFUNCTIONSSUBSTR
Typingthefirstfewlettersofafunctionnamedisplaysthesyntaxofallthefunctionswhosenamestartswiththespecifiedletters:
C:\>LogParser-hFUNCTIONSSTR
InputandOutputFormatsHelp
Inputandoutputformatshelpisdisplayedwithcommandshavingthefollowingsyntax:
LogParser -h-i:<input_format>[<from_entity>][<input_format_options>]
LogParser -h-o:<output_format>
Forexample,thefollowingcommanddisplayshelpontheIISW3Cinputformat:
C:\>LogParser-h-i:IISW3C
TheoutputofthiscommandgivesadetailedoverviewoftheIISW3C
Page 521
inputformat,includingthesyntaxofthe
<from_entity>,alistofallthesupportedpropertiestogetherwiththeirdefaultvalues,thestructureoftherecordsproducedbytheinputformat(fieldnamesandtypes),andexamplesofqueriesusingtheinputformat.
Whenaninputformatretrievesfieldinformationfromthedatathatneedstobeparsed,thehelpcommandcanincludethefrom-entityfromwhichthefieldinformationistobegathered.Forexample,theCSVinputformatexaminestheinputfilestoretrievethenamesandtypesoftheinputrecordfieldsthatwillbeexported.AhelpcommandaimedatdisplayingtheinputrecordfieldsexportedbytheCSVinputformatwhenparsingaspecificfileshouldincludethefilenamefrom-entity,asshowninthefollowingexample:
C:\>LogParser-h-i:CSVTestLogFile.csv
Inaddition,sincetheparametersofsomeinputformatscanaffectthestructureoftheinputrecords,helpcommandscanincludetheseparameterstodisplaythevaryinginputrecordstructures.Forexample,theNETMONinputformathasa"fMode"parameterthatcanbeusedtospecifyhowtheinputrecordsshouldbestructured.AhelpcommandaimedatdisplayingtheinputrecordfieldsexportedbytheNETMONinputformatwhenthe"fMode"parameterissetto"TCPConn"shouldincludethisparameter,asshowninthefollowingexample:
C:\>LogParser-h-i:NETMON-fMode:TCPConn
ConversionModeHelp
Conversionmodehelpisaccessedwithcommandshavingthefollowingsyntax:
LogParser -h-c[-i:<input_format>-o:<output_format>]
Thefollowingcommanddisplaysgeneralconversionmodehelp,
Page 522
includingthelistofavailablebuilt-inconversionqueries:
C:\>LogParser-h-c
Thefollowingcommanddisplayshelpontheconversionbetweenthespecifiedlogfileformats,includingthefulltextofthebuilt-inquerythatperformstheconversion:
C:\>LogParser-h-c-i:BIN-o:W3C
QueryExamplesHelp
Examplesofqueriesandcommandscanbedisplayedwiththefollowingcommand:
C:\>LogParser-hEXAMPLES
Seealso:
Command-LineOperationReference
©2004MicrosoftCorporation.Allrightsreserved.
Page 523
GlobalSwitchesGlobalswitchescontroloverallbehaviorsofacommand,andtheyareusedwithmostoftheLogParsercommand-lineexecutableoperationalmodes.
Theglobalswitchesare:
-e:<max_errors>
-iw[:ON|OFF]
-stats[:ON|OFF]
-q[:ON|OFF]
-e:<max_errors>
Specifiesamaximumnumberofparseerrorstocollectinternallybeforeabortingtheexecutionofthecommand.Thedefaultvalueforthisglobalswitchis-1,whichisaspecialvaluecausingtheSQLenginetoignoreallparseerrorsandreportonlythetotalnumberofparseerrorsencounteredduringtheexecutionofthecommand.Thefollowingexamplecommandsetsthemaximumnumberofparseerrorsto100:
C:\>LogParser"SELECTMessageFROMSystem"-e:100
Formoreinformationonparseerrorsandthe"-e"switch,seeErrors,ParseErrors,andWarnings.
-iw[:ON|OFF]
Specifieswhetherornotwarningsshouldbeignored.
Page 524
Thedefaultvalueis"OFF",meaningthatruntimewarningswillnotbeignoredandwilltriggeraninteractiveprompttotheuser.Specifying"ON",ontheotherhand,disablestheinteractiveprompt,andruntimewarningswillbeignoredandtheirtotalcountwillbereportedwhenthecommandexecutionhascompleted.Thefollowingexamplecommandexecutesaqueryignoringruntimewarnings:
C:\>LogParser"SELECTMessageFROMSystem"-iw:ON
Formoreinformationonwarningsandthe"-iw"switch,seeErrors,ParseErrors,andWarnings.
-stats[:ON|OFF]
Specifieswhetherornotcommandexecutionstatisticsshouldbedisplayedwhenthecommandexecutionhascompleted.Thedefaultvalueis"ON",causingcommandexecutionstatisticstobealwaysdisplayed.Specifying"OFF"preventsthestatisticsfrombeingdisplayed.Thefollowingexamplecommandexecutesaquerypreventingthestatisticsfrombeingdisplayed:
C:\>LogParser"SELECTCOUNT(*)FROMSystem"-stats:OFF
-q[:ON|OFF]
Enablesordisables"quietmode".When"quietmode"isenabled,theconsoleoutputofacommandcontainsonlytheoutputrecords,suppressinganyadditionalinformation.Forthisreason,theconsoleoutputofacommandexecutedin"quietmode"issuitabletoberedirectedtoatextfile.Enabling"quietmode"disablesthedisplayofparseerrors,warnings,andstatistics.Inaddition,iftheselectedoutputformatistheNAToutputformat,its"rtp"and"headers"parametersareautomaticallysetasfollows:
Page 525
-rtp:-1-headers:OFF
Asanexample,theoutputoffollowingcommandshowstheextrainformationandtheNAToutputformatheadersthatarenormallydisplayedtotheconsole:
C:\>LogParser"SELECTCOUNT(*)FROMSystem"COUNT(ALL*)------------6913
Statistics:-----------Elementsprocessed:6913Elementsoutput:1Executiontime:0.13seconds
Inthisexample,enabling"quietmode"suppressestheheadersdisplayedbytheNAToutputformatandthequeryexecutionstatistics,andtheoutputwouldlooklikethefollowing:
C:\>LogParser"SELECTCOUNT(*)FROMSystem"-q:ON6913
Seealso:Command-LineOperationReferenceErrors,ParseErrors,andWarnings
©2004MicrosoftCorporation.Allrightsreserved.
Page 526
COMAPITheLogParserscriptableCOMcomponentsarchitectureismadeupofthefollowingobjects:
LogQueryobject:thisobjectisthemainCOMobjectintheLogParserscriptableCOMcomponentsarchitecture;itexposesmethodstoexecuteSQL-Likequeriesandprovidesaccesstoglobalparameterscontrollingtheexecutionofaquery.LogRecordSetobject:thisobjectisanenumeratorofLogRecordobjects;itallowsanapplicationtonavigatethroughtheoutputrecordsofaquery.LogRecordobject:thisobjectrepresentsasinglequeryoutputrecord,anditexposesmethodsthatcanbeusedtoretrieveindividualfieldvaluesfromtheoutputrecord.InputFormatobjects:theseobjectsprovideprogrammaticaccesstotheinputformatssupportedbyLogParser;eachinputformatobjectexposespropertieshavingthesamenameastheparametersofthecorrespondingLogParserinputformat.OutputFormatobjects:theseobjectsprovideprogrammaticaccesstotheoutputformatssupportedbyLogParser;eachoutputformatobjectexposespropertieshavingthesamenameastheparametersofthecorrespondingLogParseroutputformat.
Seealso:LogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 527
LogQueryObjectTheLogQueryobjectexposesthemainAPImethodsthatexecuteaSQL-Likequeryandprovidesaccesstoglobalparameterscontrollingtheexecutionofaquery.
Theobjectisinstantiatedwiththe"MSUtil.LogQuery"ProgId.Theclassnameofthe.NETCOMwrapperforthisobjectis"Interop.MSUtil.LogQueryClassClass".
Methods
Execute ExecutesaqueryandreturnsaLogRecordSetobjectthatcanbeusedtonavigatethroughthequeryoutputrecords.
ExecuteBatch Executesaqueryandwritesthequeryoutputrecordstoanoutputformat.
Properties
errorMessages Returnsacollectionoftheerror,parseerror,andwarningmessagesthatoccurredduringtheexecutionofaquery.
inputUnitsProcessed Returnsthetotalnumberofinputrecordsprocessedduringtheexecutionofaquery.
lastError Returns-1iferrors,parseerrors,orwarningsoccurredduringtheexecution
Page 528
ofthequery;0otherwise.
maxParseErrors Setsandgetsthemaximumnumberofparseerrorsthatcanoccurduringtheexecutionofaquerybeforeabortingthequeryexecution.
outputUnitsProcessed Returnsthetotalnumberofoutputrecordssenttoanoutputformatduringtheexecutionofaquery.
versionMaj Returnsthe"major"componentoftheversionoftheLogParserscriptableCOMcomponents.
versionMin Returnsthe"minor"componentoftheversionoftheLogParserscriptableCOMcomponents.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
VBScriptexample:
DimoLogQuerySetoLogQuery=CreateObject("MSUtil.LogQuery")
Seealso:
Page 529
LogRecordSetObjectInputFormatObjectsOutputFormatObjectsLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 530
ExecuteMethodExecutesaqueryandreturnsaLogRecordSetobjectthatcanbeusedtonavigatethroughthequeryoutputrecords.
ScriptSyntax
objRecordSet=objLogQuery.Execute(strQuery[,objInputFormat]);
Parameters
strQueryAstringcontainingthetextoftheSQL-Likequerytobeexecuted.
objInputFormatEitheranInputFormatobjectoraCustomInputFormatPluginobject.Ifthisparameterisnotspecified,orisnull,LogParserwillattempttoselectautomaticallyaninputformatuponinspectionofthe<from-entity>intheFROMclauseofthespecifiedquery.
ReturnValueALogRecordSetobject,whichcanbeusedtonavigatethroughthequeryoutputrecords.
RemarksIfthequeryexecutionencounterserrors,anexceptionisthrowncontainingtheerrormessageandcode,andthequeryexecutionisaborted.Inthiscase,thelastErrorpropertyoftheLogQueryobjectissetto-1,
Page 531
andthecollectionofstringsreturnedbytheerrorMessagespropertycontainstheerrormessage.Ifthequeryexecutionencountersparseerrorsorwarnings,thequeryexecutessuccessfully,andthemethodreturnsaLogRecordSetobject.Inthiscase,thelastErrorpropertyoftheLogQueryobjectissetto-1,andthecollectionofstringsreturnedbytheerrorMessagespropertycontainstheparseerrormessagesand/orwarningmessages.AsuccessfulexecutionoftheExecutemethoddoesnotnecessarilymeanthatthequeryexecutionhascompleted.Dependingonthequerystructure,navigatingthequeryoutputrecordswiththeLogRecordSetobjectcancausethequerytofurtherprocessnewinputrecords,whichcouldinturngenerateadditionalerrors,parseerrors,orwarnings.SeetheLogRecordSetObjectReferenceformoreinformation.ThespecifiedquerycannotcontainanINTOclause.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Visitallrecordswhile(!oRecordSet.atEnd())
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInp
Seealso:LogQueryObjectExecuteBatchMethodLogRecordSetObjectInputFormatObjectsLogParserCOMAPIOverview
Page 532
{ //Getarecord varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
utFormat")
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'CloseRecordSetoRecordSet.close
C#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 533
ExecuteBatchMethodExecutesaqueryandwritestheoutputrecordstoanoutputformat.
ScriptSyntax
bResult=objLogQuery.ExecuteBatch(strQuery[,objInputFormat[,objOutputFormat]]);
Parameters
strQueryAstringcontainingthetextoftheSQL-Likequerytobeexecuted.
objInputFormatEitheranInputFormatobjectoraCustomInputFormatPluginobject.Ifthisparameterisnotspecified,orisnull,LogParserwillattempttoselectautomaticallyaninputformatuponinspectionofthe<from-entity>intheFROMclauseofthespecifiedquery.
objOutputFormatAnOutputFormatobject.Ifthisparameterisnotspecified,orisnull,LogParserwillattempttoselectautomaticallyanoutputformatuponinspectionofthe<into-entity>intheINTOclauseofthespecifiedquery.
ReturnValueAbooleanvalue.ReturnsTRUEifthequeryexecutedwithparseerrorsorwarnings;FALSEifthequeryexecutedwithoutanyparseerrornorwarning.
Page 534
RemarksIfthequeryexecutionencounterserrors,anexceptionisthrowncontainingtheerrormessageandcode,andthequeryexecutionisaborted.Inthiscase,thelastErrorpropertyoftheLogQueryobjectissetto-1,andthecollectionofstringsreturnedbytheerrorMessagespropertycontainstheerrormessage.Ifthequeryexecutionencountersparseerrorsorwarnings,thequeryexecutessuccessfully,andthemethodreturnsTRUE.Inthiscase,thelastErrorpropertyoftheLogQueryobjectissetto-1,andthecollectionofstringsreturnedbytheerrorMessagespropertycontainstheparseerrormessagesand/orwarningmessages.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroEVTInputFormat=newActiveXObject("MSUtil.LogQuery.EventLogInputFormat");oEVTInputFormat.direction="BW";
//CreateOutputFormatobjectvaroCSVOutputFormat=newActiveXObject("MSUtil.LogQuery.CSVOutputFormat");oCSVOutputFormat.tabs=true;
//CreatequerytextvarstrQuery="SELECTTimeGenerated,EventIDINTOC:\\output.csvFROMSystem";strQuery+="WHERESourceName='ApplicationPopup'";
//Executequery
VBScriptexample:
DimoLogQueryDimoEVTInputFormatDimoCSVOutputFormatDimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoEVTInputFormat=CreateObject("MSUtil.LogQuery.EventLogInputFormat")oEVTInputFormat.direction="BW"
'CreateOutputFormatobject
Seealso:LogQueryObjectExecuteMethodInputFormatObjectsOutputFormatObjectsLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 535
oLogQuery.ExecuteBatch(strQuery,oEVTInputFormat,oCSVOutputFormat);SetoCSVOutputFormat=CreateObject("MSUtil.LogQuery.CSVOutputFormat")oCSVOutputFormat.tabs=TRUE
'CreatequerytextstrQuery="SELECTTimeGenerated,EventIDINTOC:\output.csvFROMSystem"strQuery=strQuery&"WHERESourceName='ApplicationPopup'"
'ExecutequeryoLogQuery.ExecuteBatchstrQuery,oEVTInputFormat,oCSVOutputFormat
Page 536
errorMessagesPropertyReturnsacollectionofstringscontainingthemessagesoferrors,parseerrors,orwarningsencounteredwhileexecutingaquerywiththeExecuteorExecuteBatchmethods.
Read-onlyproperty.
ScriptSyntax
value=objLogQuery.errorMessages;
ReturnValueAcollectionofStringscontainingerrormessages.
RemarksTheobjectreturnedbytheerrorMessagespropertyimplementsasingleread-only_NewEnumproperty.The_NewEnumpropertyretrievesanIEnumVARIANTinterfaceonanobjectthatcanbeusedtoenumeratethecollection.The_NewEnumpropertyishiddenwithinscriptinglanguages(JScriptandVBScript).ApplicationswrittenintheJScriptlanguagehandleobjectsimplementingthe_NewEnumpropertyasEnumeratorobjectsorwiththefor...instatement,whileapplicationswrittenintheVBScriptlanguagehandleobjectsimplementingthe_NewEnumpropertywiththeForEach...Nextstatement.Ifyouwanttoretrieveparseerrormessages,makesurethatthemaxParseErrorspropertyoftheLogQueryobjectissettoavaluedifferentthan-1.Ifthevalueofthispropertyis-1(thedefaultvalue),theparseerrormessageswillbediscarded,andtheerrorMessagescollectionwillcontainasinglemessagestatingthetotalnumberofparseerrorsoccurred.
Page 537
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//MakesurethatparseerrormessagesarecollectedoLogQuery.maxParseErrors=100;
//CreatequerytextvarstrQuery="SELECTsc-bytesINTOC:\\output.csvFROMex040528.log";
//ExecutequeryoLogQuery.ExecuteBatch(strQuery);
//Checkiferrorsoccurredif(oLogQuery.lastError!=0){WScript.Echo("Errorsoccurred!");
varoMessages=newEnumerator(oLogQuery.errorMessages);for(;!oMessages.atEnd();oMessages.moveNext()){WScript.Echo("Errormessage:"+oMessages.item());}}else{WScript.Echo("Executedsuccessfully!");}
VBScriptexample:
DimoLogQueryDimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'MakesurethatparseerrormessagesarecollectedoLogQuery.maxParseErrors=100
'CreatequerytextstrQuery="SELECTsc-bytesINTOC:\output.csvFROMex040528.log"
'ExecutequeryoLogQuery.ExecuteBatchstrQuery
'CheckiferrorsoccurredIfoLogQuery.lastError<>0Then
WScript.Echo"Errorsoccurred!"
ForEachstrMessageInoLogQuery.errorMessagesWScript.Echo"ErrorMessage:"+strMessageNext
Else
WScript.Echo"Executedsuccesfully!"
Seealso:LogQueryObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 539
inputUnitsProcessedPropertyReturnsthetotalnumberofinputrecordsprocessedbyaqueryexecutedwiththeExecuteBatchmethod.
Read-onlyproperty.
ScriptSyntax
value=objLogQuery.inputUnitsProcessed;
ReturnValueAnintegervaluecontainingthetotalnumberofinputrecordsprocessedbythelastqueryexecutedwiththeExecuteBatchmethod.
RemarksWhenaqueryisexecutedwiththeExecutemethod,thispropertyreturnszero.Inthesecases,usetheinputUnitsProcessedpropertyoftheLogRecordSetobject.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECTTimeGenerated,EventIDINTOC:\\output.csvFROMSystem";
VBScriptexample:
DimoLogQuery
Page 540
strQuery+="WHERESourceName='ApplicationPopup'";
//ExecutequeryoLogQuery.ExecuteBatch(strQuery);
//DisplaytotalnumberofinputrecordsprocessedWScript.Echo("InputRecordsProcessed:"+oLogQuery.inputUnitsProcessed);
DimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECTTimeGenerated,EventIDINTOC:\output.csvFROMSystem"strQuery=strQuery&"WHERESourceName='ApplicationPopup'"
'ExecutequeryoLogQuery.ExecuteBatchstrQuery
'DisplaytotalnumberofinputrecordsprocessedWScript.Echo"InputRecordsProcessed:"&oLogQuery.inputUnitsProcessed
Seealso:LogQueryObjectExecuteBatchMethodoutputUnitsProcessedPropertyLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 541
lastErrorPropertyReturns-1iftheExecuteorExecuteBatchmethodsencounterederrors,parseerrors,orwarnings;0otherwise.
Read-onlyproperty.
ScriptSyntax
value=objLogQuery.lastError;
ReturnValueAnintegervaluecontaining-1iftheExecuteorExecuteBatchmethodsencounterederrors,parseerrors,orwarnings;0otherwise.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECTTimeGenerated,EventIDINTOC:\\output.csvFROMSystem";strQuery+="WHERESourceName='ApplicationPopup'";
//ExecutequeryoLogQuery.ExecuteBatch(strQuery);
//Checkiferrorsoccurredif(oLogQuery.lastError!=0){WScript.Echo("Errorsoccurred!");
VBScriptexample:
DimoLogQueryDimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECTTimeGenerated,EventIDINTOC:\output.csvFROMSystem"strQuery=strQuery&"WHERESourceName='ApplicationPopup'"
Seealso:LogQueryObjectLogParserCOMAPIOverviewC#Example
Page 542
}else{WScript.Echo("Executedsuccessfully!");}
'ExecutequeryoLogQuery.ExecuteBatchstrQuery
'CheckiferrorsoccurredIfoLogQuery.lastError<>0ThenWScript.Echo"Errorsoccurred!"ElseWScript.Echo"Executedsuccesfully!"EndIf
©2004MicrosoftCorporation.Allrightsreserved.
Page 543
maxParseErrorsPropertySetsorgetsthemaximumnumberofparseerrorsthatcanoccurduringtheexecutionofaquerybeforeabortingthequeryexecution.
Read/writeproperty.
ScriptSyntax
objLogQuery.maxParseErrors=value;
value=objLogQuery.maxParseErrors;
Argument/ReturnValueAnintegervaluespecifyingthemaximumnumberofparseerrorsthatcanoccurduringtheexecutionofaquerybeforeabortingthequeryexecution.Avalueof-1specifiesthatallparseerrorsshouldbeignored.
DefaultValue-1
RemarksThispropertyisanalogoustothe"-e"globalswitchavailablewiththeLogParsercommand-lineexecutable.
Examples
Page 544
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
oLogQuery.maxParseErrors=10;VBScriptexample:
DimoLogQuerySetoLogQuery=CreateObject("MSUtil.LogQuery")
oLogQuery.maxParseErrors=10Seealso:LogQueryObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 545
outputUnitsProcessedPropertyReturnsthetotalnumberofoutputrecordssenttoanoutputformatbyaqueryexecutedwiththeExecuteBatchmethod.
Read-onlyproperty.
ScriptSyntax
value=objLogQuery.outputUnitsProcessed;
ReturnValueAnintegervaluecontainingthetotalnumberofoutputrecordssenttoanoutputformatbythelastqueryexecutedwiththeExecuteBatchmethod.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECTTimeGenerated,EventIDINTOC:\\output.csvFROMSystem";strQuery+="WHERESourceName='ApplicationPopup'";
//ExecutequeryoLogQuery.ExecuteBatch(strQuery);
//DisplaytotalnumberofoutputrecordsgeneratedWScript.Echo("OutputRecordsWritten:"+oLogQuery.outputUnitsProc
VBScriptexample:
DimoLogQueryDimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECTTimeGenerated,EventIDINTOC:\output.csvFROMSystem"
Seealso:LogQueryObjectExecuteBatchMethodinputUnitsProcessedProperty
Page 546
essed);strQuery=strQuery&"WHERESourceName='ApplicationPopup'"
'ExecutequeryoLogQuery.ExecuteBatchstrQuery
'DisplaytotalnumberofoutputrecordsgeneratedWScript.Echo"OutputRecordsWritten:"&oLogQuery.outputUnitsProcessed
LogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 547
versionMajPropertyversionMinPropertyReturnthemajorandminorcomponentsoftheversionoftheLogParserscriptableCOMcomponentscurrentlybeingused.
Read-onlyproperties.
ScriptSyntax
value=objLogQuery.versionMaj;
value=objLogQuery.versionMin;
ReturnValuesIntegervaluescontainingthemajorandminorcomponentsoftheversionoftheLogParserscriptableCOMcomponentscurrentlybeingused.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
WScript.Echo("LogParserVersion"+oLogQuery.versionMaj+"."+oLogQuery.versionMin);VBScriptexample:
DimoLogQuerySetoLogQuery=CreateObject("MSUtil.LogQuery")
WScript.Echo"LogParserVersion"&oLogQuery.versionMaj&"."&o
Page 548
LogQuery.versionMinSeealso:LogQueryObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 549
LogRecordSetObjectTheLogRecordSetobjectisreturnedbytheExecutemethodoftheLogQueryobject,anditexposesmethodsthatcanbeusedtonavigatethroughtheoutputrecordsofaquery.TheLogRecordSetobjectisanenumeratorofLogRecordobjects.
Theinterfacenameofthe.NETCOMwrapperforthisobjectis"Interop.MSUtil.ILogRecordset".
Methods
atEnd ReturnsaBooleanvalueindicatingiftheenumeratorisattheendofthecollection.
close Releasestheenumerationandalltheassociatedresources.
getColumnCount Returnsthenumberoffieldsinthequeryoutputrecords.
getColumnName Returnsthenameofafieldinthequeryoutputrecords.
getColumnType Returnsthedatatypeofafieldinthequeryoutputrecords.
getRecord ReturnsthecurrentLogRecordobjectintheenumeration.
moveNext AdvancestheenumeratortothenextLogRecordintheenumeration.
Page 550
Properties
errorMessages Returnsacollectionoftheerror,parseerror,andwarningmessagesthatoccurredduringthelastinvocationofthemoveNextmethod.
inputUnitsProcessed Returnsthetotalnumberofinputrecordsprocessedduringtheexecutionofaquery.
lastError Returns-1iferrors,parseerrors,orwarningsoccurredduringthelastinvocationofthemoveNextmethod;0otherwise.
INTEGER_TYPE ReturnsthevalueoftheconstantrepresentingtheINTEGERdatatype.
NULL_TYPE ReturnsthevalueoftheconstantrepresentingtheNULLdatatype.
REAL_TYPE ReturnsthevalueoftheconstantrepresentingtheREALdatatype.
STRING_TYPE ReturnsthevalueoftheconstantrepresentingtheSTRINGdatatype.
TIMESTAMP_TYPE ReturnsthevalueoftheconstantrepresentingtheTIMESTAMPdatatype.
Page 551
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");varoLogRecordSet=oLogQuery.Execute("SELECT*FROMSystem");VBScriptexample:
DimoLogQueryDimoLogRecordSet
SetoLogQuery=CreateObject("MSUtil.LogQuery")SetoLogRecordSet=oLogQuery.Execute("SELECT*FROMSystem")Seealso:
LogQueryObjectLogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 552
atEndMethodReturnsaBooleanvalueindicatingiftheenumeratorisattheendofthecollection.
ScriptSyntax
value=objRecordSet.atEnd();
ReturnValueABooleanvaluesettoTRUEiftherearenomoreLogRecordobjectstoenumerate;FALSEotherwise.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Visitallrecordswhile(!oRecordSet.atEnd())
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInp
Seealso:LogRecordSetObjectLogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 553
{ //Getarecord varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
utFormat")
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'CloseRecordSetoRecordSet.close
Page 554
closeMethodReleasestheenumerationandalltheassociatedresources.
ScriptSyntax
objRecordSet.close();
ReturnValueNone.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Visitallrecordswhile(!oRecordSet.atEnd()){ //Getarecord
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInputFormat")
Seealso:LogRecordSetObjectLogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 555
varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'CloseRecordSetoRecordSet.close
Page 556
getColumnCountMethodReturnsthenumberoffieldsinthequeryoutputrecords.
ScriptSyntax
value=objRecordSet.getColumnCount();
ReturnValueAnintegervaluecontainingthenumberoffieldsinthequeryoutputrecords.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
//Fieldtypeswitch(oRecordSet.getColumnType(f))
VBScriptexample:
DimoLogQueryDimoRecordSetDimf
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
Seealso:LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 557
{caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}}}
//CloseLogRecordSetoRecordSet.close();
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSetoRecordSet.close()
Page 558
getColumnNameMethodReturnsthenameofafieldinthequeryoutputrecords.
ScriptSyntax
value=objRecordSet.getColumnName(index);
Parameters
indexThe0-basedindexofthefieldinthequeryoutputrecords.TheindexmustbelessthanthenumberoffieldsreturnedbythegetColumnCountmethod.
ReturnValueAstringvaluecontainingthenameoftheoutputrecordfieldatthespecifiedposition.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
VBScriptexample:
DimoLogQueryDimoRecordSetDimf
Page 559
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
//Fieldtypeswitch(oRecordSet.getColumnType(f)){caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}}}
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSetoRecordSet.close()
Seealso:LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 560
//CloseLogRecordSetoRecordSet.close();
Page 561
getColumnTypeMethodReturnsthetypeofafieldinthequeryoutputrecords.
ScriptSyntax
value=objRecordSet.getColumnType(index);
Parameters
indexThe0-basedindexofthefieldinthequeryoutputrecords.TheindexmustbelessthanthenumberoffieldsreturnedbythegetColumnCountmethod.
ReturnValueAnintegervaluecontainingthetypeoftheoutputrecordfieldatthespecifiedposition.ThisvalueisoneoftheconstantsreturnedbytheINTEGER_TYPE,REAL_TYPE,STRING_TYPE,TIMESTAMP_TYPE,andNULL_TYPEproperties.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";VBScriptexample:
Page 562
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
//Fieldtypeswitch(oRecordSet.getColumnType(f)){caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}
DimoLogQueryDimoRecordSetDimf
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSet
Seealso:LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 563
}}
//CloseLogRecordSetoRecordSet.close();
oRecordSet.close()
Page 564
getRecordMethodReturnsthecurrentLogRecordobjectintheenumeration.
ScriptSyntax
objRecord=objRecordSet.getRecord();
ReturnValueThecurrentLogRecordobjectintheenumeration.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Visitallrecordswhile(!oRecordSet.atEnd()){ //Getarecord
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInputFormat")
Seealso:LogRecordSetObjectLogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 565
varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'CloseRecordSetoRecordSet.close
Page 566
moveNextMethodAdvancestheenumeratortothenextLogRecordintheenumeration.
ScriptSyntax
objRecordSet.moveNext();
ReturnValueNone.
RemarksDependingonthequerystructure,callingthemoveNextmethodcancausethequerytofurtherprocessnewinputrecords,whichcouldinturngenerateadditionalerrors,parseerrors,orwarnings.IfthemoveNextmethodencounterserrors,anexceptionisthrowncontainingtheerrormessageandcode,andfurtherprocessingisaborted.Inthiscase,thelastErrorpropertyoftheLogRecordSetobjectissetto-1,andthecollectionofstringsreturnedbytheerrorMessagespropertycontainstheerrormessage.IfthemoveNextmethodencountersparseerrorsorwarnings,theenumeratorisadvancedsuccessfully,andthelastErrorpropertyoftheLogRecordSetobjectissetto-1.Inthiscase,thecollectionofstringsreturnedbytheerrorMessagespropertycontainstheparseerrormessagesand/orwarningmessages.
Examples
JScriptexample:
Page 567
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Visitallrecordswhile(!oRecordSet.atEnd()){ //Getarecord varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInputFormat")
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord
Seealso:LogRecordSetObjectLogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 568
oRecordSet.moveNext
LOOP
'CloseRecordSetoRecordSet.close
Page 569
errorMessagesPropertyReturnsacollectionofstringscontainingthemessagesoferrors,parseerrors,orwarningsthatoccurredduringthelastinvocationofthemoveNextmethod.
Read-onlyproperty.
ScriptSyntax
value=objLogRecordSet.errorMessages;
ReturnValueAcollectionofStringscontainingerrormessages.
RemarksTheobjectreturnedbytheerrorMessagespropertyimplementsasingleread-only_NewEnumproperty.The_NewEnumpropertyretrievesanIEnumVARIANTinterfaceonanobjectthatcanbeusedtoenumeratethecollection.The_NewEnumpropertyishiddenwithinscriptinglanguages(JScriptandVBScript).ApplicationswrittenintheJScriptlanguagehandleobjectsimplementingthe_NewEnumpropertyasEnumeratorobjectsorwiththefor...instatement,whileapplicationswrittenintheVBScriptlanguagehandleobjectsimplementingthe_NewEnumpropertywiththeForEach...Nextstatement.Ifyouwanttoretrieveparseerrormessages,makesurethatthemaxParseErrorspropertyoftheLogQueryobjectissettoavaluedifferentthan-1.Ifthevalueofthispropertyis-1(thedefaultvalue),theparseerrormessageswillbediscarded,andtheerrorMessagescollectionwillcontainasinglemessagestatingthetotalnumberofparseerrorsoccurred.
Page 570
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//MakesurethatparseerrormessagesarecollectedoLogQuery.maxParseErrors=100;
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Checkiferrorsoccurredif(oLogQuery.lastError!=0){WScript.Echo("Errorsoccurred!");
varoMessages=newEnumerator(oLogQuery.errorMessages);for(;!oMessages.atEnd();oMessages.moveNext()){WScript.Echo("Errormessage:"+oMessages.item());}}
//Visitallrecordswhile(!oRecordSet.atEnd()){
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'MakesurethatparseerrormessagesarecollectedoLogQuery.maxParseErrors=100
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInputFormat")
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'CheckiferrorsoccurredIfoLogQuery.lastError<>0Then
WScript.Echo"Errorsoccurred!"
Seealso:LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 571
//Getarecord varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();
//Checkiferrorsoccurredif(oRecordSet.lastError!=0){WScript.Echo("Errorsoccurred!");
varoMessages=newEnumerator(oRecordSet.errorMessages);for(;!oMessages.atEnd();oMessages.moveNext()){WScript.Echo("Errormessage:"+oMessages.item());}}}
//CloseLogRecordSetoRecordSet.close();
ForEachstrMessageInoLogQuery.errorMessagesWScript.Echo"ErrorMessage:"+strMessageNext
EndIf
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
'CheckiferrorsoccurredIfoRecordSet.lastError<>0Then
WScript.Echo"Errorsoccurred!"
ForEachstrMessageInoRecordSet.errorMessagesWScript.Echo"ErrorMessage:"+strMessageNext
EndIfLOOP
'CloseRecordSetoRecordSet.close
Page 572
inputUnitsProcessedPropertyReturnsthetotalnumberofinputrecordsprocessedsofarbyaqueryexecutedwiththeExecutemethod.
Read-onlyproperty.
ScriptSyntax
value=objLogRecordSet.inputUnitsProcessed;
ReturnValueAnintegervaluecontainingthetotalnumberofinputrecordsprocessedsofarbythequerythatreturnedtheLogRecordSetobject.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Visitallrecordswhile(!oRecordSet.atEnd()){//Displaynumberofinputrecordsprocessedsofar
VBScriptexample:
DimoLogQueryDimoRecordSetDimstrQuery
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
Seealso:LogRecordSetObjectLogParserCOMAPIOverviewC#Example
Page 573
WScript.Echo("InputRecordsProcessed:"+oRecordSet.inputUnitsProcessed);
//Getarecord varoRecord=oRecordSet.getRecord();
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//DisplaytotalnumberofinputrecordsprocessedWScript.Echo("TotalInputRecordsProcessed:"+oRecordSet.inputUnitsProcessed);
//CloseLogRecordSetoRecordSet.close();
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'DisplaynumberofinputrecordsprocessedsofarWScript.Echo"InputRecordsProcessed:"&oRecordSet.inputUnitsProcessed
'Getarecord SetoRecord=oRecordSet.getRecord
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'DisplaytotalnumberofinputrecordsprocessedWScript.Echo"TotalInputRecordsProcessed:"&oRecordSet.inputUnitsProcessed
'CloseRecordSetoRecordSet.close
©2004MicrosoftCorporation.Allrightsreserved.
Page 574
lastErrorPropertyReturns-1iferrors,parseerrors,orwarningsoccurredduringthelastinvocationofthemoveNextmethod;0otherwise.
Read-onlyproperty.
ScriptSyntax
value=objRecordSet.lastError;
ReturnValueAnintegervaluecontaining-1ifthelastmoveNextmethodinvocationencounterederrors,parseerrors,orwarnings;0otherwise.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//MakesurethatparseerrormessagesarecollectedoLogQuery.maxParseErrors=100;
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSet
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
Seealso:LogRecordSetObjectLogParserCOMAPIOverviewC#Example
Page 575
varoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Checkiferrorsoccurredif(oLogQuery.lastError!=0){WScript.Echo("Errorsoccurred!");
varoMessages=newEnumerator(oLogQuery.errorMessages);for(;!oMessages.atEnd();oMessages.moveNext()){WScript.Echo("Errormessage:"+oMessages.item());}}
//Visitallrecordswhile(!oRecordSet.atEnd()){ //Getarecord varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();
//Checkiferrorsoccurredif(oRecordSet.lastError!=0){WScript.Echo("Errorsoccurred!");
varoMessages=newEnumerator(oRecordSet.errorMessages);for(;!oMessages.atEnd();oMessages.moveNext()){
'MakesurethatparseerrormessagesarecollectedoLogQuery.maxParseErrors=100
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInputFormat")
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'CheckiferrorsoccurredIfoLogQuery.lastError<>0Then
WScript.Echo"Errorsoccurred!"
ForEachstrMessageInoLogQuery.errorMessagesWScript.Echo"ErrorMessage:"+strMessageNext
EndIf
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
©2004MicrosoftCorporation.Allrightsreserved.
Page 576
WScript.Echo("Errormessage:"+oMessages.item());}}}
//CloseLogRecordSetoRecordSet.close();
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
'CheckiferrorsoccurredIfoRecordSet.lastError<>0Then
WScript.Echo"Errorsoccurred!"
ForEachstrMessageInoRecordSet.errorMessagesWScript.Echo"ErrorMessage:"+strMessageNext
EndIfLOOP
'CloseRecordSetoRecordSet.close
Page 577
INTEGER_TYPEPropertyTheconstantvaluereturnedbythegetColumnTypemethodtoindicatethatanoutputrecordfieldcontainsvaluesoftheINTEGERdatatype.
Read-onlyproperty.
ScriptSyntax
value=objRecordSet.INTEGER_TYPE;
ReturnValueAnintegervaluecontainingtheconstantthatrepresentstheINTEGERdatatype.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
VBScriptexample:
DimoLogQueryDimoRecordSetDimf
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
Seealso:NULL_TYPEPropertyREAL_TYPEPropertySTRING_TYPEPropertyTIMESTAMP_TYPEProperty
Page 578
//Fieldtypeswitch(oRecordSet.getColumnType(f)){caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}}}
//CloseLogRecordSetoRecordSet.close();
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSetoRecordSet.close()
LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 579
NULL_TYPEPropertyTheconstantvaluereturnedbythegetColumnTypemethodtoindicatethatanoutputrecordfieldcontainsvaluesoftheNULLdatatype.
Read-onlyproperty.
ScriptSyntax
value=objRecordSet.NULL_TYPE;
ReturnValueAnintegervaluecontainingtheconstantthatrepresentstheNULLdatatype.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
VBScriptexample:
DimoLogQueryDimoRecordSetDimf
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
Seealso:INTEGER_TYPEPropertyREAL_TYPEPropertySTRING_TYPEPropertyTIMESTAMP_TYPEProperty
Page 580
//Fieldtypeswitch(oRecordSet.getColumnType(f)){caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}}}
//CloseLogRecordSetoRecordSet.close();
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSetoRecordSet.close()
LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 581
REAL_TYPEPropertyTheconstantvaluereturnedbythegetColumnTypemethodtoindicatethatanoutputrecordfieldcontainsvaluesoftheREALdatatype.
Read-onlyproperty.
ScriptSyntax
value=objRecordSet.REAL_TYPE;
ReturnValueAnintegervaluecontainingtheconstantthatrepresentstheREALdatatype.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
VBScriptexample:
DimoLogQueryDimoRecordSetDimf
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
Seealso:INTEGER_TYPEPropertyNULL_TYPEPropertySTRING_TYPEPropertyTIMESTAMP_TYPEProperty
Page 582
//Fieldtypeswitch(oRecordSet.getColumnType(f)){caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}}}
//CloseLogRecordSetoRecordSet.close();
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSetoRecordSet.close()
LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 583
STRING_TYPEPropertyTheconstantvaluereturnedbythegetColumnTypemethodtoindicatethatanoutputrecordfieldcontainsvaluesoftheSTRINGdatatype.
Read-onlyproperty.
ScriptSyntax
value=objRecordSet.STRING_TYPE;
ReturnValueAnintegervaluecontainingtheconstantthatrepresentstheSTRINGdatatype.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
VBScriptexample:
DimoLogQueryDimoRecordSetDimf
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
Seealso:INTEGER_TYPEPropertyNULL_TYPEPropertyREAL_TYPEPropertyTIMESTAMP_TYPEProperty
Page 584
//Fieldtypeswitch(oRecordSet.getColumnType(f)){caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}}}
//CloseLogRecordSetoRecordSet.close();
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSetoRecordSet.close()
LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 585
TIMESTAMP_TYPEPropertyTheconstantvaluereturnedbythegetColumnTypemethodtoindicatethatanoutputrecordfieldcontainsvaluesoftheTIMESTAMPdatatype.
Read-onlyproperty.
ScriptSyntax
value=objRecordSet.TIMESTAMP_TYPE;
ReturnValueAnintegervaluecontainingtheconstantthatrepresentstheTIMESTAMPdatatype.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Displayfieldnamesandtypesfor(varf=0;f<oRecordSet.getColumnCount();f++){//FieldNameWScript.Echo("FieldName:"+oRecordSet.getColumnName(f));
VBScriptexample:
DimoLogQueryDimoRecordSetDimf
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECT*FROMSystem"
Seealso:INTEGER_TYPEPropertyNULL_TYPEPropertyREAL_TYPEPropertySTRING_TYPEProperty
Page 586
//Fieldtypeswitch(oRecordSet.getColumnType(f)){caseoRecordSet.INTEGER_TYPE:{WScript.Echo("FieldType:INTEGER");break;}
caseoRecordSet.REAL_TYPE:{WScript.Echo("FieldType:REAL");break;}
caseoRecordSet.STRING_TYPE:{WScript.Echo("FieldType:STRING");break;}
caseoRecordSet.TIMESTAMP_TYPE:{WScript.Echo("FieldType:TIMESTAMP");break;}
caseoRecordSet.NULL_TYPE:{WScript.Echo("FieldType:NULL");break;}}}
//CloseLogRecordSetoRecordSet.close();
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'DisplayfieldnamesandtypesForf=0TooRecordSet.getColumnCount()-1
'FieldNameWScript.Echo"FieldName:"&oRecordSet.getColumnName(f)
'FieldtypeSelectCaseoRecordSet.getColumnType(f)CaseoRecordSet.INTEGER_TYPEWScript.Echo"FieldType:INTEGER"CaseoRecordSet.REAL_TYPEWScript.Echo"FieldType:REAL"CaseoRecordSet.STRING_TYPEWScript.Echo"FieldType:STRING"CaseoRecordSet.TIMESTAMP_TYPEWScript.Echo"FieldType:TIMESTAMP"CaseoRecordSet.NULL_TYPEWScript.Echo"FieldType:NULL"
EndSelectNext
'CloseLogRecordSetoRecordSet.close()
LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 587
LogRecordObjectTheLogRecordobjectrepresentsasinglequeryoutputrecord,anditexposesmethodsthatcanbeusedtoretrieveindividualfieldvaluesfromtheoutputrecord.TheLogRecordobjectisreturnedbythegetRecordmethodoftheLogRecordSetobject.
Theinterfacenameofthe.NETCOMwrapperforthisobjectis"Interop.MSUtil.ILogRecord".
Methods
getValue Returnsthevalueofafieldintheoutputrecord.
getValueEx Returnsthevalueofafieldintheoutputrecord.
isNull ReturnsaBooleanvalueindicatingifanoutputrecordfieldisNULL.
toNativeString Returnsafieldorthewholeoutputrecordasastringvalue.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
Page 588
//CreateInputFormatobjectvaroIISW3CInputFormat=newActiveXObject("MSUtil.LogQuery.IISW3CInputFormat");
//CreatequerytextvarstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat);
//Visitallrecordswhile(!oRecordSet.atEnd()){ //Getarecord varoRecord=oRecordSet.getRecord();
//Getfirstfieldvalue varstrClientIp=oRecord.getValue(0);
//Printfieldvalue WScript.Echo("ClientIPAddress:"+strClientIp);
//AdvanceLogRecordSettonextrecord oRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
VBScriptexample:
DimoLogQueryDimoIISW3CInputFormatDimstrQueryDimoRecordSetDimoRecordDimstrClientIp
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateInputFormatobjectSetoIISW3CInputFormat=CreateObject("MSUtil.LogQuery.IISW3CInputFormat")
'CreatequerytextstrQuery="SELECTc-ipFROM<1>WHEREcs-uri-stemLIKE'%hitcount.asp'"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oIISW3CInputFormat)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'Getfirstfieldvalue strClientIp=oRecord.getValue(0)
'Printfieldvalue WScript.Echo"ClientIPAddress:"&strClientIp
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
Seealso:LogRecordSetObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 589
LOOP
'CloseRecordSetoRecordSet.close
Page 590
getValueMethodReturnsthevalueofthefieldatthespecifiedpositionintherecord.
ScriptSyntax
value=objRecord.getValue(index);
value=objRecord.getValue(fieldName);
Parameters
indexAnintegercontainingthe0-basedindexofthefieldinthequeryoutputrecords.TheindexmustbelessthanthenumberoffieldsreturnedbythegetColumnCountmethodoftheLogRecordSetobject.
fieldNameAstringcontainingthenameofthefieldinthequeryoutputrecords.
ReturnValueThevalueofthespecifiedfield.ThevalueisreturnedasaVARIANT(i.e.ascriptingvariable)whosetypedependsonthedatatypeofthefield.ThefollowingtableshowstheVARIANTtypereturnedandthecorrespondingscriptingtypesforeachoftheLogParserdatatypes:
FieldTypeVARIANTType JScriptType
VBScriptType
INTEGER VT_I4 number Long
Page 591
REAL VT_R8 number Double
STRING VT_BSTR string String
TIMESTAMP VT_DATE date(VBdate)
Date
NULL VT_NULL nullobject Null
RemarksSomescriptinglanguagesmightnothandlecorrectlythenullvaluereturnedbythegetValuemethodwhenthefieldatthespecifiedlocationisNULL.Inthesecases,calltheisNullmethodbeforethegetValuemethodtotestthefieldforNULLvalues.AlthoughtheLogParserINTEGERDataTypeisa64-bitvalue,thegetValuemethodreturnsINTEGERvaluesas32-bitintegers,sincescriptinglanguagesdonothandlecorrectly64-bitintegervalues.Thismeansthattruncationmightoccurwhenvaluesarelargerthanthemaximum32-bitvalue.Inthesecases,ifalow-levelprogramminglanguageisbeingused(e.g.C++),applicationscancallthegetValueExmethodtoretrieveINTEGERvaluesas64-bitvalues.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECTTimeGenerated,SourceName,EventID,MessageFROMSystem";
VBScriptexample:
DimoLogQuery
Page 592
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Visitallrecordswhile(!oRecordSet.atEnd()){//GetarecordvaroRecord=oRecordSet.getRecord();
//DisplayrecordinformationWScript.Echo("TimeGenerated:"+oRecord.getValue("TimeGenerated"));WScript.Echo("SourceName:"+oRecord.getValue(1));WScript.Echo("EventID:"+oRecord.getValue(2));if(!oRecord.isNull(3)){WScript.Echo("Message:"+oRecord.getValue(3));}else{WScript.Echo("Message:<null>");}
//AdvanceLogRecordSettonextrecordoRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
DimoRecordSetDimstrQueryDimfDimval
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECTTimeGenerated,SourceName,EventID,MessageFROMSystem"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'DisplayrecordinformationWScript.Echo"TimeGenerated:"&oRecord.getValue("TimeGenerated")WScript.Echo"SourceName:"&oRecord.getValue(1)WScript.Echo"EventID:"&oRecord.getValue(2)IfoRecord.isNull(3)=FalseThenWScript.Echo"Message:"&oRecord.getValue(3)ElseWScript.Echo"Message:<null>"EndIf
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'CloseRecordSet
Seealso:LogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 593
oRecordSet.close
Page 594
getValueExMethodReturnsthevalueofthefieldatthespecifiedpositionintherecord.ThevaluereturnedbythegetValueExmethodisintendedforlow-levelprogramminglanguagesandisnotsuitableforconsumptionbyscriptinglanguages.
C++Syntax
HRESULTgetValueEx(INVARIANT*pindexOrName,OUTVARIANT*pVal);
Parameters
pindexOrNameAVT_I4orVT_BSTRVARIANTcontainingeitherthe0-basedindexofthefieldinthequeryoutputrecords,orthenameofthefieldinthequeryoutputrecords.TheindexmustbelessthanthenumberoffieldsreturnedbythegetColumnCountmethodoftheLogRecordSetobject.
ReturnValueThevalueofthespecifiedfield.ThevalueisreturnedasaVARIANTwhosetypedependsonthedatatypeofthefield.ThefollowingtableshowstheVARIANTtypereturnedforeachoftheLogParserdatatypes:
FieldTypeVARIANTType Description
INTEGER VT_I8 64-bitinteger
Page 595
REAL VT_R8 64-bitfloating-pointnumber
STRING VT_BSTR String
TIMESTAMP VT_I8 64-bitintegerrepresentingthenumberof100-nanosecondintervalssinceJanuary1,year0
NULL VT_NULL VT_NULLVARIANT
RemarksThegetValueExmethodreturns64-bitintegervaluesthatarenothandledcorrectlybyscriptinglanguages,Forthisreason,themethodisintendedforusebylow-level,non-scriptinglanguages,suchasC++.Ifyouaredevelopinganapplicationusingscriptinglanguages,considerusingthegetValuemethodinstead.
Seealso:LogRecordObjectgetValueMethodLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 596
isNullMethodReturnsaBooleanvalueindicatingifanoutputrecordfieldisNULL.
ScriptSyntax
value=objRecord.isNull(index);
value=objRecord.isNull(fieldName);
Parameters
indexAnintegercontainingthe0-basedindexofthefieldinthequeryoutputrecords.TheindexmustbelessthanthenumberoffieldsreturnedbythegetColumnCountmethodoftheLogRecordSetobject.
fieldNameAstringcontainingthenameofthefieldinthequeryoutputrecords.
ReturnValueABooleanvalueindicatingifthespecifiedoutputrecordfieldisNULL.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextVBScriptexample:
Page 597
varstrQuery="SELECTTimeGenerated,SourceName,EventID,Message,DataFROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Visitallrecordswhile(!oRecordSet.atEnd()){//GetarecordvaroRecord=oRecordSet.getRecord();
//DisplayrecordinformationWScript.Echo("TimeGenerated:"+oRecord.getValue("TimeGenerated"));WScript.Echo("SourceName:"+oRecord.getValue(1));WScript.Echo("EventID:"+oRecord.getValue(2));if(!oRecord.isNull(3)){WScript.Echo("Message:"+oRecord.getValue(3));}else{WScript.Echo("Message:<null>");}
if(!oRecord.isNull("Data")){WScript.Echo("Data:"+oRecord.getValue(4));}else{WScript.Echo("Data:<null>");}
//AdvanceLogRecordSettonextrecordoRecordSet.moveNext();
DimoLogQueryDimoRecordSetDimstrQueryDimfDimval
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECTTimeGenerated,SourceName,EventID,Message,DataFROMSystem"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'DisplayrecordinformationWScript.Echo"TimeGenerated:"&oRecord.getValue("TimeGenerated")WScript.Echo"SourceName:"&oRecord.getValue(1)WScript.Echo"EventID:"&oRecord.getValue(2)IfoRecord.isNull(3)=FalseThenWScript.Echo"Message:"&oRecord.getValue(3)ElseWScript.Echo"Message:<null>"EndIf
IfoRecord.isNull("Data")=FalseThenWScript.Echo"Data:"&oRecord.getValue(4)ElseWScript.Echo"Data:<null>"EndIf
Seealso:LogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 598
}
//CloseLogRecordSetoRecordSet.close();
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
'CloseRecordSetoRecordSet.close
Page 599
toNativeStringMethodReturnsafieldorthewholeoutputrecordasastringvalue.
ScriptSyntax
value=objRecord.toNativeString(index);
value=objRecord.toNativeString(separator);
Parameters
indexAnintegercontainingthe0-basedindexofafieldinthequeryoutputrecords.TheindexmustbelessthanthenumberoffieldsreturnedbythegetColumnCountmethodoftheLogRecordSetobject.
separatorAstringcontainingtheseparatortobeusedbetweenthefieldsoftherecord.
ReturnValueIfafieldindexisusedasargument,themethodreturnsthespecifiedfieldformattedtoastringaccordingtotheinputformatstringrepresentationofthedatatype.Forexample,iftheinputformatusedparsestimestampsformattedas'yyyy-MM-ddhh:mm:ss',thenthemethodformatsTIMESTAMPvaluesusingthesameformat.Ifastringseparatorisusedasargument,themethodreturnstheconcatenationofalltherecordfieldsformattedtoastring,separatedbythespecifiedseparator.
Page 600
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatequerytextvarstrQuery="SELECTTimeGenerated,SourceName,EventID,MessageFROMSystem";
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery);
//Visitallrecordswhile(!oRecordSet.atEnd()){//GetarecordvaroRecord=oRecordSet.getRecord();
//DisplayrecordinformationWScript.Echo("TimeGenerated:"+oRecord.toNativeString(0));WScript.Echo("WholeRecord:"+oRecord.toNativeString(","));
//AdvanceLogRecordSettonextrecordoRecordSet.moveNext();}
//CloseLogRecordSetoRecordSet.close();
VBScriptexample:
DimoLogQueryDimoRecordSetDimstrQueryDimfDimval
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreatequerytextstrQuery="SELECTTimeGenerated,SourceName,EventID,MessageFROMSystem"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery)
'VisitallrecordsDOWHILENOToRecordSet.atEnd
'Getarecord SetoRecord=oRecordSet.getRecord
'DisplayrecordinformationWScript.Echo"TimeGenerated:"&oRecord.toNativeString(0)WScript.Echo"WholeRecord:"&oRecord.toNativeString(",")
'AdvanceLogRecordSettonextrecord oRecordSet.moveNext
LOOP
Seealso:LogRecordObjectLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 601
'CloseRecordSetoRecordSet.close
Page 602
InputFormatObjectsInputFormatobjectsprovideprogrammaticaccesstotheinputformatssupportedbyLogParser.
InputFormatobjectsareinstantiatedwiththeProgIdandthe.NETCOMwrapperclassnamesspecifiedinthefollowingtable:
InputFormat ProgId .NETCOMWrapperClassName
ADS MSUtil.LogQuery.ADSInputFormat COMADSInputContextClassClass
BIN MSUtil.LogQuery.IISBINInputFormat COMIISBINInputContextClassClass
CSV MSUtil.LogQuery.CSVInputFormat COMCSVInputContextClassClass
ETW MSUtil.LogQuery.ETWInputFormat COMETWInputContextClassClass
EVT MSUtil.LogQuery.EventLogInputFormat COMEventLogInputContextClassClass
FS MSUtil.LogQuery.FileSystemInputFormat COMFileSystemInputContextClassClass
HTTPERR MSUtil.LogQuery.HttpErrorInputFormat COMHttpErrorInputContextClassClass
IIS MSUtil.LogQuery.IISIISInputFormat COMIISIISInputContextClassClass
IISODBC MSUtil.LogQuery.IISODBCInputFormat COMIISODBCInputContextClassClass
IISW3C MSUtil.LogQuery.IISW3CInputFormat COMIISW3CInputContextClassClass
NCSA MSUtil.LogQuery.IISNCSAInputFormat COMIISNCSAInputContextClassClass
NETMON MSUtil.LogQuery.NetMonInputFormat COMNetMonInputContextClassClass
REG MSUtil.LogQuery.RegistryInputFormat COMRegistryInputContextClassClass
Page 603
TEXTLINE MSUtil.LogQuery.TextLineInputFormat COMTextLineInputContextClassClass
TEXTWORD MSUtil.LogQuery.TextWordInputFormat COMTextWordInputContextClassClass
TSV MSUtil.LogQuery.TSVInputFormat COMTSVInputContextClassClass
URLSCAN MSUtil.LogQuery.URLScanLogInputFormat COMURLScanLogInputContextClassClass
W3C MSUtil.LogQuery.W3CInputFormat COMW3CInputContextClassClass
XML MSUtil.LogQuery.XMLInputFormat COMXMLInputContextClassClass
Afterinstantiatinganinputformatobject,anapplicationcansettheinputformatparametersandusetheobjectasanargumenttotheExecuteorExecuteBatchmethodsoftheLogQueryobject.
MethodsTheInputFormatobjectsdonotexposemethods.
PropertiesTheInputFormatobjectsexposeread/writepropertieswiththesamenamesandcapitalizationastheparametersacceptedbythecorrespondingLogParserinputformat.Forexample,theMSUtil.LogQuery.EventLogInputFormatinputformatobjectexposesa"resolveSIDs"propertythatcontrolstheresolveSIDsparameteroftheEVTinputformat.Thevaluetypeacceptedandreturnedbyaninputformatobjectpropertydependsonthenatureofthevaluesthatcanbespecifiedfortheinputformatparameter,asdescribedbythefollowingtable:
Parametervalues
Propertyvaluetype JScriptExample
Page 604
"ON"/"OFF"values Boolean oEVTInputFormat.resolveSIDs=true;
Enumerationvalues(e.g."ASC"/"PRINT"/"HEX")
String oEVTInputFormat.binaryFormat="PRINT";
Stringvalues String oEVTInputFormat.stringsSep=",";
Numericvalues Number oIISW3CInputFormat.recurse=10;
FormoreinformationonInputFormatParameters,seetheInputFormatsReference.
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateEVTInputFormatobjectvaroEVTInputFormat=newActiveXObject("MSUtil.LogQuery.EventLogInputFormat");
//SetinputformatparametersoEVTInputFormat.resolveSIDs=true;oEVTInputFormat.binaryFormat="PRINT";oEVTInputFormat.stringsSep=",";oEVTInputFormat.iCheckpoint="MyCheckpoint.lpc";
//CreatequerytextvarstrQuery="SELECT*FROMSystem";
VBScriptexample:
DimoLogQueryDimoEVTInputFormatDimstrQueryDimoRecordSet
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateEVTInputFormatobjectSetoEVTInputFormat=CreateObject("MSUtil.LogQuery.EventLogInputFormat")
Seealso:LogQueryObjectOutputFormatObjectsLogParserCOMAPIOverviewC#Example
Page 605
//ExecutequeryandreceiveaLogRecordSetvaroRecordSet=oLogQuery.Execute(strQuery,oEVTInputFormat);'SetinputformatparametersoEVTInputFormat.resolveSIDs=TrueoEVTInputFormat.binaryFormat="PRINT"oEVTInputFormat.stringsSep=","oEVTInputFormat.iCheckpoint="MyCheckpoint.lpc"
'CreatequerytextstrQuery="SELECT*FROMSystem"
'ExecutequeryandreceiveaLogRecordSetSetoRecordSet=oLogQuery.Execute(strQuery,oEVTInputFormat)
©2004MicrosoftCorporation.Allrightsreserved.
Page 606
OutputFormatObjectsOutputFormatobjectsprovideprogrammaticaccesstotheoutputformatssupportedbyLogParser.
OutputFormatobjectsareinstantiatedwiththeProgIdandthe.NETCOMwrapperclassnamesspecifiedinthefollowingtable:
OutputFormat ProgId .NETCOMWrapperClassName
CHART MSUtil.LogQuery.ChartOutputFormat COMChartOutputContextClassClass
CSV MSUtil.LogQuery.CSVOutputFormat COMCSVOutputContextClassClass
DATAGRID MSUtil.LogQuery.DataGridOutputFormat COMDataGridOutputContextClassClass
IIS MSUtil.LogQuery.IISOutputFormat COMIISOutputContextClassClass
NAT MSUtil.LogQuery.NativeOutputFormat COMNativeOutputContextClassClass
SQL MSUtil.LogQuery.SQLOutputFormat COMSQLOutputContextClassClass
SYSLOG MSUtil.LogQuery.SYSLOGOutputFormat COMSYSLOGOutputContextClassClass
TPL MSUtil.LogQuery.TemplateOutputFormat COMTemplateOutputContextClassClass
TSV MSUtil.LogQuery.TSVOutputFormat COMTSVOutputContextClassClass
W3C MSUtil.LogQuery.W3COutputFormat COMW3COutputContextClassClass
XML MSUtil.LogQuery.XMLOutputFormat COMXMLOutputContextClassClass
Afterinstantiatinganoutputformatobject,anapplicationcansettheoutputformatparametersandusetheobjectasanargumenttothe
Page 607
ExecuteBatchmethodoftheLogQueryobject.
MethodsTheOutputFormatobjectsdonotexposemethods.
PropertiesTheOutputFormatobjectsexposeread/writepropertieswiththesamenamesandcapitalizationastheparametersacceptedbythecorrespondingLogParseroutputformat.Forexample,theMSUtil.LogQuery.CSVOutputFormatoutputformatobjectexposesa"headers"propertythatcontrolstheheadersparameteroftheCSVoutputformat.Thevaluetypeacceptedandreturnedbyanoutputformatobjectpropertydependsonthenatureofthevaluesthatcanbespecifiedfortheoutputformatparameter,asdescribedbythefollowingtable:
Parametervalues
Propertyvaluetype JScriptExample
"ON"/"OFF"values Boolean oCSVOutputFormat.tabs=true;
Enumerationvalues(e.g."ON"/"OFF"/"AUTO")
String oCSVOutputFormat.oDQuotes="OFF";
Stringvalues String oCSVOutputFormat.oTsFormat="yyyy-MM-dd";
Numericvalues Number oCSVOutputFormat.oCodepage=-1;
FormoreinformationonOutputFormatParameters,seetheOutputFormatsReference.
Page 608
Examples
JScriptexample:
varoLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreateEVTInputFormatobjectvaroEVTInputFormat=newActiveXObject("MSUtil.LogQuery.EventLogInputFormat");
//CreateCSVOutputFormatobjectvaroCSVOutputFormat=newActiveXObject("MSUtil.LogQuery.CSVOutputFormat");
//SetoutputformatparametersoCSVOutputFormat.tabs=true;oCSVOutputFormat.oDQuotes="OFF";oCSVOutputFormat.oTsFormat="yyyy-MM-dd";oCSVOutputFormat.oCodepage=-1;
//CreatequerytextvarstrQuery="SELECTTimeGenerated,MessageINTOOutput.csvFROMSystem";
//ExecutequeryoLogQuery.ExecuteBatch(strQuery,oEVTInputFormat,oCSVOutputFormat);
VBScriptexample:
DimoLogQueryDimoEVTInputFormatDimoCSVOutputFormatDimstrQueryDimoRecordSet
SetoLogQuery=CreateObject("MSUtil.LogQuery")
'CreateEVTInputFormatobjectSetoEVTInputFormat=CreateObject("MSUtil.LogQuery.EventLogInputFormat")
'CreateCSVOutputFormatobjectSetoCSVOutputFormat=CreateObject("MSUtil.LogQuery.CSVOutputFormat")
'SetoutputformatparametersoCSVOutputFormat.tabs=TrueoCSVOutputFormat.oDQuotes="OFF"oCSVOutputFormat.oTsFormat="yyyy-MM-dd"oCSVOutputFormat.oCodepage=-1
'CreatequerytextstrQuery="SELECTTimeGenerated,MessageINTOOutput.csvFROMSystem"
'Executequery
Seealso:LogQueryObjectInputFormatObjectsLogParserCOMAPIOverviewC#Example
©2004MicrosoftCorporation.Allrightsreserved.
Page 609
oLogQuery.ExecuteBatchstrQuery,oEVTInputFormat,oCSVOutputFormat
Page 610
COMInputFormatPluginsCOMInputFormatPluginsareuser-developedinputformatsthatcanbeusedwithLogParsertoprovidecustomparsingcapabilities.
CustominputformatsaredevelopedasCOMobjectsimplementingthemethodsoftheILogParserInputContextCOMinterface.
OncedevelopedandregisteredwiththeCOMinfrastructure,custominputformatscanbeusedwitheithertheLogParserscriptableCOMcomponentsthroughtheExecuteandExecuteBatchmethodsoftheLogQueryobject,orwiththeLogParsercommand-lineexecutablethroughtheCOMinputformat.
ILogParserInputContextInterface:describesthemethodsthatmustbeimplementedbycustominputformatCOMobjects.RunTimeInteraction:describeshowLogParserinteractswithcustominputformatCOMobjectsatruntime.
Seealso:CustomPluginsCOMInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 611
ILogParserInputContextInterfaceCustominputformatsaredevelopedasCOMobjectsimplementingthemethodsoftheILogParserInputContextCOMinterface.AcustominputformatimplementsthemethodsofthisinterfacebyimplementingtheILogParserInputContextinterfacedirectly,orbyimplementingtheIDispatch(Automation)interfaceexposingthemethodsoftheILogParserInputContextinterface.
Interface
////InterfaceGUID//
/*27E78867-48AB-433c-9AFD-9D78D8B1CFC7*/DEFINE_GUID(IID_ILogParserInputContext,0x27E78867,0x48AB,0x433C,0x9A,0xFD,0x9D,0x78,0xD8,0xB1,0xCF,0xC7);
////LogParserInputContextInterfaceimplementedbyLogParserInputpluginsandcalledbyLogParser.
//
classILogParserInputContext:publicIUnknown{public:
enumFieldType{Integer=1,Real=2,String=3,
Methods
OpenInput Processesthespecifiedfrom-entityandperformsanynecessaryinitialization.
GetFieldCount Returnsthenumberofinputrecordfields.
GetFieldName Returnsthenameofaninputrecordfield.
GetFieldType Returnsthetypeofaninputrecordfield.
ReadRecord Readsthenextinputrecord.
GetValue Returnsthevalueofafieldinthecurrentinputrecord.
CloseInput Releasesalltheresourcesandperformsanynecessarycleanup.
Page 612
Timestamp=4,Null=5};
virtualHRESULTSTDMETHODCALLTYPEOpenInput(INBSTRbszFromEntity)=0;
virtualHRESULTSTDMETHODCALLTYPEGetFieldCount(OUTDWORD*pnFields)=0;
virtualHRESULTSTDMETHODCALLTYPEGetFieldName(INDWORDfIndex,OUTBSTR*pbszFieldName)=0;
virtualHRESULTSTDMETHODCALLTYPEGetFieldType(INDWORDfIndex,OUTDWORD*pnFieldType)=0;
virtualHRESULTSTDMETHODCALLTYPEReadRecord( OUTVARIANT_BOOL*pbDataAvailable)=0;
virtualHRESULTSTDMETHODCALLTYPEGetValue(INDWORDfIndex,OUTVARIANT*pvarValue)=0;
virtualHRESULTSTDMETHODCALLTYPECloseInput(INVARIANT_BOOLbAbort)=0;};
Properties
CustomProperties CustominputformatsdevelopedasIDispatchCOMobjectscansupportcustompropertiesthatarecontrolledatruntimeasinputformatparameters.
Seealso:RunTimeInteractionCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 613
CloseInputMethodReleasesalltheresourcesandperformsanynecessarycleanup.
C++Syntax
HRESULTSTDMETHODCALLTYPECloseInput(INVARIANT_BOOLbAbort);ScriptSyntax
CloseInput(bAbort);
Parameters
bAbortABooleanvaluesettoTRUEifthequeryexecutionhasbeenaborted,orFALSEifthequeryexecutionhascompletedsuccessfully.
ReturnValueNone.
RemarksThisisthelastmethodinvokedbyLogParserbeforereleasingthecustominputformatCOMobject.
Examples
Page 614
C++example:
HRESULTCProcessesInputContext::CloseInput(INVARIANT_BOOLbAbort){//Closethesnapshothandleif(m_hSnapshot!=INVALID_HANDLE_VALUE){CloseHandle(m_hSnapshot);m_hSnapshot=INVALID_HANDLE_VALUE;}
returnS_OK;}
VBScriptexample:
FunctionCloseInput(bAbort)
m_objQFEArray=Array()
EndFunctionSeealso:ILogParserInputContextInterfaceOpenInputMethodRunTimeInteractionCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 615
GetFieldCountMethodReturnsthenumberoffieldsintheinputrecords.
C++Syntax
HRESULTSTDMETHODCALLTYPEGetFieldCount(OUTDWORD*pnFields);ScriptSyntax
nFields=GetFieldCount();
ReturnValueAnintegervaluecontainingthenumberoffieldsintheinputrecords.
Examples
C++example:
HRESULTCProcessesInputContext::GetFieldCount(OUTDWORD*pnFields){ //ThisInputContextexports4fields
*pnFields=4;
returnS_OK;}
VBScriptexample:
FunctionGetFieldCount()
'ThisInputFormatreturns4or6fields Ifm_bExtendedFields=TrueThen GetFieldCount=6 Else GetFieldCount=4 EndIf
Seealso:ILogParserInputContextInterfaceRunTimeInteractionCustomPlugins
Page 616
EndFunction©2004MicrosoftCorporation.Allrightsreserved.
Page 617
GetFieldNameMethodReturnsthenameofaninputrecordfield.
C++Syntax
HRESULTSTDMETHODCALLTYPEGetFieldName(INDWORDfIndex,OUTBSTR*pbszFieldName);ScriptSyntax
fieldName=GetFieldName(fIndex);
Parameters
fIndexThe0-basedindexoftheinputrecordfield.TheindexvalueisguaranteedtobesmallerthanthenumberoffieldsreturnedbytheGetFieldCountmethod.
ReturnValueAstringvaluecontainingthenameoftheinputrecordfieldatthespecifiedposition.
Examples
C++example:
HRESULTCProcessesInputContext::GetFieldName(INDWORDfIndex,OUTBSTR*pbszFieldName){VBScriptexample:
Page 618
switch(fIndex){case0:{*pbszFieldName=SysAllocString(L"ImageName");break;}
case1:{*pbszFieldName=SysAllocString(L"PID");break;}
case2:{*pbszFieldName=SysAllocString(L"ParentPID");break;}
case3:{*pbszFieldName=SysAllocString(L"Threads");break;}}
returnS_OK;}
FunctionGetFieldName(nFieldIndex)
SelectCasenFieldIndex Case0 GetFieldName="QFE" Case1 GetFieldName="Description" Case2 GetFieldName="InstallDate" Case3 GetFieldName="InstalledBy" Case4 GetFieldName="Comments" Case5 GetFieldName="SP" EndSelect
EndFunction
Seealso:ILogParserInputContextInterfaceGetFieldTypeMethodRunTimeInteractionCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 619
GetFieldTypeMethodReturnsthetypeofaninputrecordfield.
C++Syntax
HRESULTSTDMETHODCALLTYPEGetFieldType(INDWORDfIndex,OUTDWORD*pnFieldType);ScriptSyntax
fieldType=GetFieldType(fIndex);
Parameters
fIndexThe0-basedindexoftheinputrecordfield.TheindexvalueisguaranteedtobesmallerthanthenumberoffieldsreturnedbytheGetFieldCountmethod.
ReturnValueAnintegervaluefromtheFieldTypeenumerationcontainingtheLogParserdatatypeoftheinputrecordfieldatthespecifiedposition.
Examples
C++example:
HRESULTCProcessesInputContext::GetFieldType(INDWORDfIndex,OUTDWORD*pnFieldType){VBScriptexample:
Page 620
switch(fIndex){case0:{//ImageName*pnFieldType=ILogParserInputContext::String;break;}
case1:{//PID*pnFieldType=ILogParserInputContext::Integer;break;}
case2:{//ParentPID*pnFieldType=ILogParserInputContext::Integer;break;}
case3:{//Threads*pnFieldType=ILogParserInputContext::Integer;break;}}
returnS_OK;}
FunctionGetFieldType(nFieldIndex)
SelectCasenFieldIndex Case0 'String GetFieldType=3 Case1 'String GetFieldType=3 Case2 'Timestamp GetFieldType=4 Case3 'String GetFieldType=3 Case4 'String GetFieldType=3 Case5 'String GetFieldType=3
EndSelect
EndFunction
Seealso:ILogParserInputContextInterfaceGetFieldNameMethodRunTimeInteractionCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 621
GetValueMethodReturnsthevalueofaninputrecordfield.
C++Syntax
HRESULTSTDMETHODCALLTYPEGetValue(INDWORDfIndex,OUTVARIANT*pvarValue);ScriptSyntax
value=GetValue(fIndex);
Parameters
fIndexThe0-basedindexoftheinputrecordfield.TheindexvalueisguaranteedtobesmallerthanthenumberoffieldsreturnedbytheGetFieldCountmethod.
ReturnValueAVARIANTcontainingthevalueofthespecifiedfield.TheVARIANTtypemustmatchtheLogParserdatatypedeclaredbytheGetFieldTypemethod,asshowninthefollowingtable:
DeclaredFieldType C++VARIANTType
VBScriptType
INTEGER VT_I8(alsocompatible:VT_I4) Long(VT_I4)
REAL VT_R8 Double
Page 622
(VT_R8)
STRING VT_BSTR String(VT_BSTR)
TIMESTAMP VT_DATE(alsocompatible:VT_I8,VT_I4containingthenumberof100-nanosecondintervalssinceJanuary1,year0)
Date(VT_DATE)
NULL VT_NULL(alsocompatible:VT_EMPTY)
Null(VT_NULL)
RemarksAnyvaluecanbereturnedasaVT_NULLorVT_EMPTYVARIANT(aNullVBScriptvariable)toindicateaNULLvalue,regardlessofthefieldtypedeclaredbytheGetFieldTypemethod.Duetoqueryexecutionoptimizations,thereisnoguaranteethattheGetValuemethodwillbecalledforallthefieldsofaninputrecord.Infact,theGetValuemethodwillonlybecalledforthosefieldsthatarereferredtobythecurrentlyexecutingquery.Forexample,ifaqueryreferstotwofieldsonlyoutofaninputrecordmadeupoftenfields,thentheGetValuemethodwillbecalledforthosetwofieldsonly.Ifaquerydoesnotrefertoanyinputrecordfield(e.g."SELECTCOUNT(*)"),thentheGetValuemethodwillneverbecalled.
Examples
C++example:
Page 623
HRESULTCProcessesInputContext::GetValue(INDWORDfIndex,OUTVARIANT*pvarValue){//InitializereturnvalueVariantInit(pvarValue);
switch(fIndex){case0:{//ImageNameV_VT(pvarValue)=VT_BSTR;V_BSTR(pvarValue)=SysAllocString(m_processEntry32.szExeFile);break;}
case1:{//PIDV_VT(pvarValue)=VT_I4;V_I4(pvarValue)=m_processEntry32.th32ProcessID;break;}
case2:{//ParentPIDV_VT(pvarValue)=VT_I4;V_I4(pvarValue)=m_processEntry32.th32ParentProcessID;break;}
case3:{//ThreadsV_VT(pvarValue)=VT_I4;V_I4(pvarValue)=m_processEntry32.cntThreads;break;
VBScriptexample:
FunctionGetValue(nFieldIndex)
SelectCasenFieldIndex
Case0'QFEGetValue=m_objQFEArray(m_nIndex).HotFixIDCase1'DescriptionGetValue=m_objQFEArray(m_nIndex).DescriptionCase2'InstallDateGetValue=m_objQFEArray(m_nIndex).InstallDateCase3'InstalledByGetValue=m_objQFEArray(m_nIndex).InstalledByCase4'CommentsGetValue=m_objQFEArray(m_nIndex).FixCommentsCase5'SPGetValue=m_objQFEArray(m_nIndex).ServicePackInEffect
EndSelect
EndFunction
Seealso:ILogParserInputContextInterfaceReadRecordMethodRunTimeInteractionCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 625
OpenInputMethodProcessesthespecifiedfrom-entityandperformsanynecessaryinitialization.
C++Syntax
HRESULTSTDMETHODCALLTYPEOpenInput(INBSTRbszFromEntity);
ScriptSyntax
OpenInput(bszFromEntity);
Parameters
bszFromEntityThefrom-entityspecifiedintheFROMclauseofthecurrentlyexecutingquery,oranemptystringifLogParserisexecutedinHelpModetodisplaythequick-referencehelponthecustominputformat.
ReturnValueNone.
RemarksTheOpenInputmethodisthefirstmethodcalledbyLogParserafterthecustominputformatCOMobjecthasbeeninstantiated.Animplementationofthismethodwouldusuallyperformanynecessaryobjectinitialization,preparethefrom-entityforinputrecordretrieval(e.g.openinganinputfile),andeventuallypre-processtheinputtogathertheinputrecordfieldsmeta-informationthatwillbereturnedby
Page 626
theGetFieldCount,GetFieldName,andGetFieldTypemethods.UserscanexecutetheLogParsercommand-lineexecutableinHelpModetodisplayaquick-referencehelponacustominputformat.Thequick-referencehelpdisplaystheinputrecordfieldnamesandtypes,whichareretrievedthroughcallstotheGetFieldCount,GetFieldName,andGetFieldTypemethods.Iftheuser-suppliedhelpmodecommanddoesnotincludeafrom-entity,thebszFromEntityargumentwilbeanemptystring.Inthesecases,acustominputformatCOMobjectcanbehaveintwoways:Iftheinputrecordfieldsdonotdependonthefrom-entityspecifiedinthequery(i.e.iftheinputrecordstructureisfixed),thenthecustominputformatCOMobjectshouldaccepttheemptyfrom-entitywithoutreturninganerror,allowingLogParsertosubsequentlycalltheGetFieldCount,GetFieldName,andGetFieldTypemethodstoretrievetheinputrecordstructure;Iftheinputrecordfieldsdependonthefrom-entityspecifiedinthequery(i.e.iftheinputrecordstructureisextractedfromtheinputdata),thenthecustominputformatCOMobjectshouldrejecttheemptyfrom-entityreturninganerror,whichwillinturncausethehelpcommandtodisplayawarningmessagetotheuserinplaceoftheinputrecordstructure.
Examples
C++example:
HRESULTCProcessesInputContext::OpenInput(INBSTRbszFromEntity){//Initializeobject...
//Thisinputformatdoesnotrequireafrom-entity,so//wewilljustignoretheargument
VBScriptexample:
FunctionOpenInput(strComputerName)
DimobjWMIService DimobjQFEs DimnLengthSeealso:
Page 627
returnS_OK;} 'Defaultcomputernameislocalmachine IfIsNull(strComputerName)OrLen(strComputerName)=0Then strComputerName="." EndIf
'QueryforalltheQFE'sonthespecifiedmachine SetobjWMIService=GetObject("winmgmts:"&"{impersonationLevel=impersonate}!\\"&strComputerName&"\root\cimv2") SetobjQFEs=objWMIService.ExecQuery("Select*fromWin32_QuickFixEngineering")
'Storeinarray m_objQFEArray=Array() ForEachobjQFEInobjQFEs ReDimPreservem_objQFEArray(UBound(m_objQFEArray)+1) Setm_objQFEArray(UBound(m_objQFEArray))=objQFE Next
m_nIndex=LBound(m_objQFEArray)
EndFunction
ILogParserInputContextInterfaceCloseInputMethodRunTimeInteractionCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 628
ReadRecordMethodReadsthenextinputrecord.
C++Syntax
HRESULTSTDMETHODCALLTYPEReadRecord(OUTVARIANT_BOOL*pbDataAvailable);ScriptSyntax
bDataAvailable=ReadRecord();
ReturnValueABooleanvaluesettoTRUEifanewinputrecordhasbeenreadandisavailableforconsumption,orFALSEiftherearenomoreinputrecordstoreturn.
RemarksAnimplementationoftheReadRecordmethodwouldusuallyreadanewdataitemfromtheinputandstoreitinternally,waitingforLogParsertosubsequentlycalltheGetValuemethodmultipletimestoretrievetheinputrecordfieldvalues.TheBooleanvaluereturnedbytheReadRecordmethodisusedbyLogParsertodeterminewhichcustominputformatmethodswillbecallednext.IfthemethodreturnsTRUE,signalingavailabilityofaninputrecord,LogParserwillcalltheGetValuemethodmultipletimestoretrievetheinputrecordfieldvalues,followedbyanewcalltotheReadRecordmethodtoreadthenextinputrecord.IfthemethodreturnsFALSE,signalingtheendoftheinputdata,LogParserwillcalltheCloseInputmethodandreleasethecustominputformatCOMobject.
Page 629
Examples
C++example:
HRESULTCProcessesInputContext::ReadRecord(OUTVARIANT_BOOL*pbDataAvailable){if(m_hSnapshot==INVALID_HANDLE_VALUE){//Thisisthefirsttimewehavebeencalled
//Getashapshotofthecurrentprocessesm_hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);if(m_hSnapshot==INVALID_HANDLE_VALUE){//ErrorreturnHRESULT_FROM_WIN32(GetLastError());}
//Getthefirstentryif(!Process32First(m_hSnapshot,&m;_processEntry32)){DWORDdwLastError=GetLastError();if(dwLastError==ERROR_NO_MORE_FILES){//Noprocesses*pbDataAvailable=VARIANT_FALSE;returnS_OK;}else{//ErrorreturnHRESULT_FROM_WIN32(GetLastError());}
VBScriptexample:
FunctionReadRecord()
Ifm_nIndex>=UBound(m_objQFEArray)Then'EnumerationterminatedReadRecord=FalseElse'Advancem_nIndex=m_nIndex+1ReadRecord=TrueEndIf
EndFunction
Seealso:ILogParserInputContextInterfaceGetValueMethodRunTimeInteractionCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 630
}else{//Thereisdataavailable*pbDataAvailable=VARIANT_TRUE;returnS_OK;}}else{//Wehavealreadybeencalledbefore,andwehavealreadytakenasnapshot
//Getthenextentryif(!Process32Next(m_hSnapshot,&m;_processEntry32)){DWORDdwLastError=GetLastError();if(dwLastError==ERROR_NO_MORE_FILES){//Nomoreprocesses*pbDataAvailable=VARIANT_FALSE;returnS_OK;}else{//ErrorreturnHRESULT_FROM_WIN32(GetLastError());}}else{//Thereisdataavailable*pbDataAvailable=VARIANT_TRUE;returnS_OK;}}}
Page 631
CustomPropertiesProvideparametersforthecustominputformat.
C++Syntax
HRESULTSTDMETHODCALLTYPEput_propertyName(INVARIANT*value);ScriptSyntax
put_propertyName(value);
Parameters
valueAVT_BSTRVARIANTcontainingthestringparametervaluespecifiedwiththe-iCOMParamsparameteroftheCOMinputformat.
ReturnValueNone.
RemarksCustompropertiescanonlybeexposedbycustominputformatsthatimplementtheIDispatch(Automation)interface.Theseareusuallycustominputformatsdevelopedasscriptlets(.wscfiles)writteninJScriptorVBScript.Custompropertiesexposedbyacustominputformatcanbesetintwodifferentways:WiththeLogParsercommand-lineexecutable,custompropertiescanbesetthroughthe-iCOMParamsparameteroftheCOMinput
Page 632
format,asshowninthefollowingexample:
C:\>LogParser"SELECT*FROMfile.txt"-i:COM-iProgID:MySample.CustomInputFormat-iCOMParams:property1=value1,property2=value2WiththeLogParserscriptableCOMcomponents,custompropertiescanbesetdirectlyonthecustominputformatobjectbeforespecifyingtheobjectasanargumenttotheExecuteorExecuteBatchmethodsoftheLogQueryobject,asshowninthefollowingJScriptexample:
varobjLogQuery=newActiveXObject("MSUtil.LogQuery");
//CreatecustominputformatobjectvarobjCustomInputFormat=newActiveXObject("MySample.CustomInputFormat");
//SetcustominputformatparametersobjCustomInputFormat.property1="value1";objCustomInputFormat.property2="value2";
//ExecutequeryvarobjRecordSet=objLogQuery.Execute("SELECT*FROMfile.txt",objCustomInputFormat);
Examples
VBScriptexample:
Functionput_extendedFields(strValue)
IfUCase(strValue)="ON"Then m_bExtendedFields=True Else m_bExtendedFields=False EndIf
EndFunction
Seealso:ILogParserInputContextInterfaceRunTimeInteractionCustomPluginsCOMInputFormat
©2004MicrosoftCorporation.Allrightsreserved.
Page 633
RunTimeInteractionCustominputformatCOMobjectsareusedbyLogParserintwodifferentscenarios:whenexecutingaquery,andwhendisplayingaquick-referencehelponthecustominputformatwhentheLogParsercommand-lineexecutableisusedinHelpMode.
Page 634
QueryExecutionScenarioInthisscenario,acustominputformatCOMobjectisusedtoretrieveinputrecordsfromthespecifiedfrom-entity.
TomakeanexampleofthesequenceofthemethodcallsinvokedbyLogParseronthecustominputformatCOMobjectinthisscenario,wewillassumethatthecustominputformatgeneratesinputrecordscontainingthefollowingfourfields:
"FirstField",STRINGtype;"SecondField",INTEGERtype;"ThirdField",TIMESTAMPtype;"FourthField",STRINGtype.
Inaddition,wewillassumethatthequerybeingexecutedreferencesonlythreefieldsoutofthefourfieldsexportedbythecustominputformat,asinthefollowingexample:
SELECTFourthField,ThirdFieldFROMInputFile.txtWHEREFirstFieldLIKE'%test%'Thefollowingtableshowsthesequenceofmethodcallsundertheseassumptions:
Methodcall ReturnedvalueReturnedvaluedescription
Objectisinstantiated
OpenInput("InputFile.txt") None
GetFieldCount() 4
GetFieldName(0) "FirstField"
Page 635
GetFieldType(0) 3 FieldType.String
GetFieldName(1) "SecondField"
GetFieldType(1) 1 FieldType.Integer
GetFieldName(2) "ThirdField"
GetFieldType(2) 4 FieldType.Timestamp
GetFieldName(3) "FourthField"
GetFieldType(3) 3 FieldType.String
ReadRecord() TRUE aninputrecordisavailable
GetValue(0) VT_BSTRVARIANT
firstfieldvalue
GetValue(2) VT_DATEVARIANT
thirdfieldvalue
GetValue(3) VT_BSTRVARIANT
fourthfieldvalue
ReadRecord() TRUE aninputrecordisavailable
GetValue(0) VT_BSTRVARIANT
firstfieldvalue
GetValue(2) VT_DATEVARIANT
thirdfieldvalue
Page 636
GetValue(3) VT_BSTRVARIANT
fourthfieldvalue
... ... ...
ReadRecord() TRUE aninputrecordisavailable
GetValue(0) VT_BSTRVARIANT
firstfieldvalue
GetValue(2) VT_DATEVARIANT
thirdfieldvalue
GetValue(3) VT_BSTRVARIANT
fourthfieldvalue
ReadRecord() FALSE nomoreinputrecordsavailable
CloseInput(FALSE) None
Objectisreleased
Page 637
HelpModeScenarioWhentheLogParsercommand-lineexecutableisusedinHelpModetodisplayaquick-referencehelponthecustominputformat,thecustominputformatCOMobjectisonlyusedtoretrievethefieldinformationthatisdisplayedtotheuser.
Theuser-suppliedhelpmodecommandmayormaybenotincludeafrom-entity,asshowninthefollowingexamples:
C:\>LogParser-h-i:COM-iProgID:MySample.CustomInputFormatfile.txt
C:\>LogParser-h-i:COM-iProgID:MySample.CustomInputFormat
Iftheuser-suppliedhelpmodecommanddoesnotincludeafrom-entity,thenthebszFromEntityargumentoftheOpenInputmethodwillbeanemptystring.SeetheRemarkssectionoftheOpenInputMethodReferenceformoreinformationonhowcustominputformatCOMobjectsshouldbehaveinthiscase.
TomakeanexampleofthesequenceofthemethodcallsinvokedbyLogParseronthecustominputformatCOMobjectinthisscenario,wewillassumethatthecustominputformatgeneratesinputrecordscontainingthefollowingfourfields:
"FirstField",STRINGtype;"SecondField",INTEGERtype;"ThirdField",TIMESTAMPtype;"FourthField",STRINGtype.
Inaddition,wewillassumethatthehelpcommanddoesnotincludeafrom-entity.
Thefollowingtableshowsthesequenceofmethodcallsundertheseassumptions:
Page 638
Methodcall Returnedvalue Returnedvaluedescription
Objectisinstantiated
OpenInput("") None
GetFieldCount() 4
GetFieldName(0) "FirstField"
GetFieldType(0) 3 FieldType.String
GetFieldName(1) "SecondField"
GetFieldType(1) 1 FieldType.Integer
GetFieldName(2) "ThirdField"
GetFieldType(2) 4 FieldType.Timestamp
GetFieldName(3) "FourthField"
GetFieldType(3) 3 FieldType.String
CloseInput(FALSE) None
Objectisreleased
Seealso:ILogParserInputContextInterfaceCustomPlugins
©2004MicrosoftCorporation.Allrightsreserved.
Page 639
LegalInformation
MicrosoftDocumentationInformationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,placesandeventsdepictedhereinarefictitious,andnoassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,placeoreventisintendedorshouldbeinferred.Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
©2004MicrosoftCorporation.Allrightsreserved.
ActiveDirectory,JScript,Microsoft,MSDN,VisualBasic,VisualStudio,Windows,WindowsMedia,andWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.