LogParser and examples on the web

Hello,

I'm looking at different pages on the web which discussing Log Parser where they share useful examples on how to query an IIS log file using LogParser.

Currently, I am using logparser 2.2 in Windows powershell yet logparser complains about some of its own example or syntax.

In this case I'm facing an issue which doesn't return an error or any warnning at:

http://blogs.msdn.com/b/carlosag/archive/2010/03/25/analyze-your-iis-log-files-favorite-log-parser-queries.aspx

Number of Hits per Client IP, including a Reverse DNS lookup (SLOW). I thought SLOW means it would take few minutes but nothing comes out of this command.

LogParser.exe -i:W3C "Query-From-The-Table-Below" -o:CSV

SELECT c-ip As Machine,  
        REVERSEDNS(c-ip) As Name,  
        COUNT(*) As Hits  
 FROM c:\inetpub\logs\LogFiles\W3SVC1\*  
 GROUP BY Machine ORDER BY Hits DESC

Open in new window


so I run following command:


.\Logparser.exe  "SELECT c-ip As Machine,  
        REVERSEDNS(c-ip) As Name,  
        COUNT(*) As Hits  
 FROM c:\inetpub\logs\LogFiles\W3SVC1\*  
 GROUP BY Machine ORDER BY Hits DESC"  -i:W3C -o:CSV

Open in new window


It doesn't throw a message it just it stays on screen forever.

Am I missing something here?

Please advise.

Thanks.
akohanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
On first look, the Log Parser option "-i:W3C" should be "-i:IISW3C".  I ran the same command on a test log, 169K entries, and it took 3 min 53 sec:

logparser -i:IISW3C  "SELECT c-ip As Machine, REVERSEDNS(c-ip) As Name, COUNT(*) As Hits  FROM 'C:\HTTPLogs\test\*.log'  GROUP BY Machine  ORDER BY Hits DESC "

I suggest running the command against a small log file as a test to ensure its working for you.  Also, the test depends on your DNS cache for reverse name resolution.  The first run will be slow because your computer has to constantly do DNS queries, in addition to executing the log parser query against the log file(s).  If you start running this daily, the report may be a bit faster, on average.  I computer was analyzing about 720 log lines a second on the first run, but this depends on much bandwidth your Internet connection has.

Here are a few links to good sites with examples:

1. http://mlichtenberg.wordpress.com/2011/02/03/log-parser-rocks-more-than-50-examples/
2. http://logparserplus.com/Examples
3. http://blogs.technet.com/b/karywa/archive/2013/06/05/log-parser-studio-write-your-first-query-in-less-than-30-seconds.aspx

Also, you should check out Log Parser Lizard (http://www.lizard-labs.net/log_parser_lizard.aspx) and Log Parser Studio (http://blogs.technet.com/b/exchange/archive/2013/06/17/log-parser-studio-2-2-is-now-available.aspx)... it gives you a GUI for Log Parser and
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
akohanAuthor Commented:
Thank you Dan!
So from what I understand it is OK to query the IIS log files directly rather than copying them in a specific folder/path and run a query on it. Right?
0
akohanAuthor Commented:
Good tips.
0
Dan McFaddenSystems EngineerCommented:
I tend to move the logs before I process them.  This does 2 things:

1. prevents the logs from using too much space on the volumes where they are saved
2. when querying them, the web server does not have to support the added pressure of serving up the files to the process that is accessing the logs

So, to save space and to not consume too much server resources, I move my logs.

If the web server does not have a lot of activity, then it is less of an issue.  If the web server (and sites) are very active, then I would never directly query the logs.

Dan
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.