-
- How do I specify yesterday’s date?
- You need to use the SUB function to subtract one day from the
current UTC timestamp returned by the SYSTEM_TIMESTAMP function.
The origin for TIMESTAMP values is January 1, year 0 at 00:00:00.
This means that a time span of one day is represented by the
timestamp for January 2, year 0 at 00:00:00, i.e. 24 hours after
the origin of time.
Use the following field-expression to specify yesterday’s date:
SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP( '01-02', 'MM-dd' ) )
For more information, see the TIMESTAMP
Reference.
-
- How do I retrieve the event logs that have been
logged in the past 10 minutes?
- You need to use the SUB function to subtract 10 minutes from the
current UTC timestamp returned by the SYSTEM_TIMESTAMP function, and
convert this timestamp to local time using the TO_LOCALTIME function:
SELECT *
FROM System
WHERE TimeGenerated >= TO_LOCALTIME( SUB( SYSTEM_TIMESTAMP(), TIMESTAMP( '10', 'mm' ) ) )
-
- After parsing my IIS log files, I get a message
saying "There have been 4 parse errors." What causes this?
- Your log files are somehow malformed. This
might happen, for example, if a client requests a URL or specifies
a user name containing spaces. Log Parser cannot process that row
and skips it.
To see exactly what's going on, set the -e global switch to any value greater than
or equal to zero. This makes Log Parser stop the query execution
when that number of parse errors is encountered, and dump all the
messages of the parse errors that occurred.
For more information, see Errors, Parse
Errors, and Warnings.
-
- How do I change the column names in my output
file?
- Use the AS keyword in your SELECT clause to alias the
field.
For example:
SELECT Field1 AS newFieldName, Field2 AS newFieldName2, ...
-
- How do I combine the IISW3C "date" and "time"
fields into a single TIMESTAMP field?
- Use the TO_TIMESTAMP function, as in the
following example:
SELECT TO_TIMESTAMP(date, time), ...
-
- How do I split a single TIMESTAMP field into a
date-only field and a time-only field?
- Use the TO_DATE and TO_TIME functions, as in the following
example:
SELECT TO_DATE(myTimestamp), TO_TIME(myTimestamp), ...
For more information, see the TIMESTAMP
Reference.
-
- When I use a "SELECT *" on an IIS W3C Extended
log file, I get many fields with NULL values. What causes
this?
- The IISW3C input
format has 32 fields, which are all the possible fields that IIS
5.0 and IIS 6.0 can log. If your Web Server is configured to log
only a few of these fields, the IISW3C input format returns the
other field values as NULL values.
-
- I get an error saying "Unknown field XYZ" when
I execute my query. How do I fix this?
- If you have not specified an input format for
your query, Log Parser chooses one automatically based on the
<from-entity> in the FROM
clause of your query. In some cases, the input format might not be
the one you expect.
Try specifying the input format explicitly using the -i switch.
If you have specified the correct input format, make sure that you
have typed the field name correctly.
-
- I am trying to write a query that uses the IN
operator, but Log Parser keeps giving me errors. What am I doing
wrong?
- Make sure you are separating the values on the
right-side of the IN operator with the correct separator.
If the IN operator is comparing a single field-expression with a
list of values, separate the values with a semicolon (;), not with
a comma, as follows:
WHERE MyField IN ('VALUE1'; 'VALUE2'; 'VALUE3')
Different values for the same field-expression ("value-rows") are
separated by a semicolon; comma characters are used to separate
values within a single value-row.
For more information, see the IN Operator
Reference.
-
- When I execute a "SELECT *" on a log file, the
output records contain 2 extra fields that I can not find in the
log. What are these fields?
- Most of the input formats add some tracking
fields to the input records, such as the name of the file currently
parsed, and the row number currently parsed.
If you do not want these fields to appear in your output records,
do not use "SELECT *". Instead, specify only the field names that
you want, as in the following example:
SELECT Field1, Field2, Field3, ....
-
- I am developing an ASP or ASP.Net or Scheduled
Task application with Log Parser, and I'm having problems with
permissions. What can I do?
- The first step in troubleshooting these
problems is identifying the account under which Log Parser is
running. If you are developing an ASP or ASP.Net application, Log
Parser will run as the account of the user requesting the page. If
the request is anonymous, the account is the IIS Anonymous account;
if the request is authenticated, the account is the authenticated
user's account. If you are developing a Scheduled Task application,
the account is the account that you have specified for the
task.
Once the account has been identified, appropriate permissions must
be given for this account to access both the Log Parser binary and
the Dynamic Link Libraries that Log Parser depends to, which
include standard Windows libraries (e.g. "kernel32.dll",
"user32.dll", etc.) and a significant number of other libraries
(e.g. "WinInet.dll", "odbcint.dll", etc.).
Finally, appropriate permissions must be given for the account to
access the data that your application asks Log Parser to process.
These may include IIS log files, the Event Log, text files, and
whatever data you are processing.
Note: It is not a good security practice to change
system ACL's and permissions to grant user accounts access to
protected system resources. This is especially true if you are
developing an external-facing web application that uses Log Parser
to display information to the users. In these cases, consider
instead developing a Scheduled Task that runs under a "private"
account, and that generates at frequent intervals the web pages
that your application will display to the user.
-
- Can I use the Log Parser scriptable COM
components from a multi-threaded application?
- The Log Parser scriptable COM components are
registered to run within a single-threaded COM apartment, meaning
that the objects can be used from multiple threads, but
calls to the objects' methods will be serialized by the COM
infrastructure to guarantee that only one thread at a time can
access the components.