Many Log Parser output formats allow the user to specify
multiple files as the target to which output records are
written to.
This is achieved by using '*' wildcard characters in the filename
specified in the INTO clause; during
the execution of the query, the first fields in each output record
substitute the wildcard characters to determine the resulting
filename to which the output records with the remaining fields are
written.
In other words, this feature allows output records to be
multiplexed to different target files depending on the
values of the first fields in the output record.
To make an example, let's assume that we want to query the
Windows Event Log, and for each event source name, we want to
create a CSV text file containing all the
distinct event ID's generated by that source name.
The command would look like the following example:
LogParser "SELECT DISTINCT SourceName, EventID INTO Event_*.csv FROM System" -i:EVT -o:CSVFor each output record generated by this query, the "SourceName" field will be used to substitute the wildcard in the target filename, and the "EventID" field will be written to the CSV file with the resulting file name.
C:\>dir Volume in drive C has no label. Volume Serial Number is 49B5-4736 Directory of C: 07/19/2004 08:56 AM <DIR> . 07/19/2004 08:56 AM <DIR> .. 07/19/2004 08:56 AM 13 Event_Application Popup.csv 07/19/2004 08:56 AM 14 Event_Ati HotKey Poller.csv 07/19/2004 08:56 AM 23 Event_DCOM.csv 07/19/2004 08:56 AM 33 Event_Dhcp.csv 07/19/2004 08:56 AM 23 Event_DnsApi.csv 07/19/2004 08:56 AM 27 Event_EventLog.csv 07/19/2004 08:56 AM 12 Event_GEMPCC.csv 07/19/2004 08:56 AM 13 Event_i8042prt.csv 07/19/2004 08:56 AM 16 Event_Kerberos.csv 07/19/2004 08:56 AM 15 Event_NETLOGON.csv 07/19/2004 08:56 AM 15 Event_NtServicePack.csv 07/19/2004 08:56 AM 13 Event_Print.csv 07/19/2004 08:56 AM 23 Event_RemoteAccess.csv 07/19/2004 08:56 AM 14 Event_SCardSvr.csv 07/19/2004 08:56 AM 39 Event_Service Control Manager.csv 07/19/2004 08:56 AM 21 Event_Tcpip.csv 07/19/2004 08:56 AM 29 Event_W32Time.csv 07/19/2004 08:56 AM 14 Event_Win32k.csv 07/19/2004 08:56 AM 15 Event_Workstation.csv 19 File(s) 372 bytes 2 Dir(s) 34,340,712,448 bytes freeEach CSV file will contain the distinct event ID's generated by the event source:
C:\>type Event_Tcpip.csv EventID 4201 4202
There is no limit on the number of wildcard characters that can
be used in the target filenames.
We can modify the example above to generate a directory for
each event source name, and for each event ID generated by the
source, a CSV file containing the number of events logged with that
ID:
LogParser "SELECT SourceName, EventID, COUNT(*) AS Total INTO *\ID_*.csv FROM System GROUP BY SourceName, EventID" -i:EVT -o:CSVAfter the command execution is complete, we will have as many directories as the number of different event source names:
C:\>dir Volume in drive C has no label. Volume Serial Number is 49B5-4736 Directory of C: 07/19/2004 09:08 AM <DIR> . 07/19/2004 09:08 AM <DIR> .. 07/19/2004 09:08 AM <DIR> Application Popup 07/19/2004 09:08 AM <DIR> Ati HotKey Poller 07/19/2004 09:08 AM <DIR> DCOM 07/19/2004 09:08 AM <DIR> Dhcp 07/19/2004 09:08 AM <DIR> DnsApi 07/19/2004 09:08 AM <DIR> EventLog 07/19/2004 09:08 AM <DIR> GEMPCC 07/19/2004 09:08 AM <DIR> i8042prt 07/19/2004 09:08 AM <DIR> Kerberos 07/19/2004 09:08 AM <DIR> NETLOGON 07/19/2004 09:08 AM <DIR> NtServicePack 07/19/2004 09:08 AM <DIR> Print 07/19/2004 09:08 AM <DIR> RemoteAccess 07/19/2004 09:08 AM <DIR> SCardSvr 07/19/2004 09:08 AM <DIR> Service Control Manager 07/19/2004 09:08 AM <DIR> Tcpip 07/19/2004 09:08 AM <DIR> W32Time 07/19/2004 09:08 AM <DIR> Win32k 07/19/2004 09:08 AM <DIR> Workstation 0 File(s) 0 bytes 21 Dir(s) 34,340,712,448 bytes freeEach directory will contain as many CSV output files as the number of different event ID's logged by the event source:
C:\>dir DCOM Volume in drive C has no label. Volume Serial Number is 49B5-4736 Directory of C:\DCOM 07/19/2004 09:08 AM <DIR> . 07/19/2004 09:08 AM <DIR> .. 07/19/2004 09:08 AM 10 ID_10002.csv 07/19/2004 09:08 AM 10 ID_10010.csvEach CSV output file will contain the number of events logged with the event ID:
C:\>type DCOM\ID_10010.csv Total 2
Following is a list of the output formats that support the
"multiplex" feature:
© 2004 Microsoft Corporation. All rights reserved.