Sunday, January 16, 2011

How to use logparser to query IIS log entries logged in the past N minutes?

The host is located in the EDT time zone. Event logs are logged using EDT. IIS logs are getting logged using UTC, and I'm not sure which logparser construct helps account for UTC.

For example, Windows event logs, logged in local time, entries logged in last 20 minutes can be retrieved with:

>logparser "SELECT * FROM Application WHERE TimeGenerated >= TO_LOCALTIME( SUB( SYSTEM_TIMESTAMP(), TIMESTAMP( '20', 'mm' ) ) )"

How do I retrieve IISW3C formatted log entries logged in the previous 3 minutes?

After further review, I found this example in the help entry for SYSTEM_TIME ( ), i.e. Retrieve the IIS log entries logged in the current hour:

logparser -i:IISW3C "SELECT * FROM <1> WHERE date = SYSTEM_DATE() AND time >= QUANTIZE( SYSTEM_TIME(), 3600 )" -o:NAT

This current attempt retrieves the last 180 seconds (I think?), still trying to grok it...;-)

logparser -i:IISW3C "SELECT Time, Date, cs-uri-stem FROM <1> WHERE date = SYSTEM_DATE() AND time >= QUANTIZE( SYSTEM_TIME(), 180 )" -RTP:-1

Other suggestions or approaches you can recommend?

  • Try the TO_LOCALTIME function - http://logparserplus.com/Functions#function_TO_LOCALTIME

    Example:

    TO_LOCALTIME(TO_TIMESTAMP(date, time)) AS [LocalTime]
    

    You should then be able to grab everything after 3 minutes ago, which for that I'd use SYSTEM_TIMESTAMP() within your QUANTIZE.

    Example:

    logparser "select top 10 TO_LOCALTIME(SYSTEM_TIMESTAMP()), SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-01 00:03', 'yyyy-MM-dd HH:mm')) from \\192.168.1.104\wwwroot\ex*.log"
    

    That returns the current system time and 3 minutes ago. So roughly your WHERE clause would be LocalTime > SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-01 00:03', 'yyyy-MM-dd HH:mm'))

    logparser "select top 10 TO_LOCALTIME(TO_TIMESTAMP(date, time)) AS [LocalTime], * FROM \\192.168.1.104\wwwroot\ex*.log WHERE LocalTime > SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-01 00:03', 'yyyy-MM-dd HH:mm'))"
    

    Remember, date and time will be in UTC, so make sure you convert every instance to local time before comparing against them.

    Of course, you could just work within the time zone of the log files, which would be removing TO_LOCALTIME from your final WHERE clause.

0 comments:

Post a Comment