Geek Answers Handbook

Request IIS Logs with Extra Fields Using LogParser

I have an IIS log with the optional 'foo' field.

#Fields: foo date s-sitename ... foo1 2009-02-15 W3SVC1 ... foo2 2009-02-15 W3SVC1 ...

As a result, all LogParser requests are violated:

 logparser -i:IISW3C "SELECT c-ip, s-ip FROM my.log" Statistics: ----------- Elements processed: 0 Elements output: 0 Execution time: 0.00 seconds

Can LogParser be informed of such additional fields so that it can parse IIS files?

+6
iis logparser
source share
4 answers

Try the W3C format (-i: W3C).

If this does not work, and this is a one-time analysis, you can create a script to remove this column. If this is an ongoing activity, you may need to use the standard format, or at least move the extra field to the end.

By the way, LogParser supports custom input formats .

+10
source share

I don't know about LogParser, but if you weren’t able to do this, you can try splunk , which seems to handle another format log quite easily.

0
source share

use the -iHeaderFile option to define your own fields. logparser -h will show additional information

0
source share

It is very easy to do!

Just use the TRIM function around your string. This way, you can enter any string you want as a custom optional field in the Log Parser Query query.

Link: http://logparserplus.com/Functions#function_TRIM

For example, I do this in this query (used to extract the average and maximum time):

 logparser -i:IISW3C -rtp:-1 -o:NAT -headers:OFF -iw:ON "SELECT TRIM('my-website-custom-extra-column-name.com') AS siteName, TRIM('foo-bar-custom-extra-column-name') AS fooBar, AVG(time-taken) As AverageTimeTaken, MAX(time-taken) As MaxTimeTaken, COUNT(*) As Hits, TO_LOWERCASE(cs-uri-stem) As Uri FROM C:\inetpub\yourwebsite.com\ex*.log TO c:\myOutputParsedLog.txt WHERE (Extract_Extension(To_Lowercase(cs-uri-stem)) IN ('aspx')) GROUP BY TO_LOWERCASE(cs-uri-stem) ORDER BY AverageTimeTaken DESC"
0
source share

More articles:


All Articles