June 26, 2009

Microsoft LogParser 2.2 Tutorial III

Click Here to see Part II.

In my next post about logparser, I wanted to discuss some usage in a few other formats as well as a few output options. The best way to learn this is by example, so here goes:

Query the Registry
--select from registry
LogParser -i:REG -o:datagrid "SELECT value, valuename from HKLM\Software\Microsoft WHERE ValueName='ProductID'"
Query AD
I would usually use C# or Powershell for this, but it can be done with logparser. Some complex examples can be found here.

Chart Output
--select unique visits and chart it
LogParser -i:IISW3C -o:chart -chartType:Line "SELECT date, count(c-ip) AS visitors INTO myChart.gif from c:\MyIISlog.log GROUP BY date"

--select asp errors by hour and chart it
LogParser -i:IISW3C -o:chart -chartType:Line "SELECT s-ip, TO_TIME(QUANTIZE(TO_TIMESTAMP(date, time),3600)) as timestamp, COUNT(*) AS Error_Frequency FROM c:\MyIISLog.log WHERE sc-status >= 400
AND (EXTRACT_EXTENSION(TO_LOWERCASE(cs-uri-stem)) IN ('asp';'aspx';'ashx';'ascx'))
GROUP BY s-ip, timestamp ORDER BY timestamp ASC"

--select percentage processing time by extension and chart it
LogParser -i:IISW3C -o:chart -chartType:Line "SELECT s-ip, EXTRACT_EXTENSION(cs-uri-stem) AS Extension, TO_INT(MUL(PROPSUM(time-taken),100.0)) AS Processing_Time
FROM c:\MyIISLog.log GROUP BY s-ip, Extension ORDER BY Processing_Time DESC"
Dump into SQL Server
--dump into sql server
LogParser -i:IISW3C "SELECT * INTO WebLogs from c:\MyIIS.log" -server:MyServer\SQLExpress -database:IISLogs -driver:"SQL Server" -createTable:ON
One note for sql server is that you can create the table manually and then import just the fields you want or all of them. If you use createTable:ON then it will make a new table for you in the db (make sure you have rights). The default column length though is 255 and data might get truncated, so I usually create my own table first.

You now have a bunch of examples on input and forensics for logparser and output formats as well. I have just scratched the surface with input/output though.

Next week I'll go into some examples on how to call logparser from code.
Posted by Joe Langley at 8:48 AM
Labels:
StumbleUpon

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)