W3C Input Format Fields

The structure of the input records generated by the W3C input format is determined at run time, depending on the input data.

The first two input record fields are fixed, and they are described in the following table:

• If all the non-empty field values in the first n log entries are formatted as decimal numbers, then the field is assumed to be of the REAL type.
• If all the non-empty field values in the first n log entries are formatted as integer numbers, then the field is assumed to be of the INTEGER type.
• If all the non-empty field values in the first n log entries are formatted as timestamps in the "yyyy-MM-dd hh:mm:ss" format, then the field is assumed to be of the TIMESTAMP type. In particular, if a field value is formatted as a date in the "yyyy-MM-dd" format, then the value is returned as a date-only TIMESTAMP value. If the field value is formatted as a time of day in the "hh:mm:ss" format, then the value is returned as a time-only TIMESTAMP value.
• Otherwise, the field is assumed to be of the STRING type.

Empty values, represented by a hyphen (-) in the W3C Extended Log File Format, are returned as NULL values.

As an example, the following help command displays the input record structure determined by the W3C input format when parsing the specified Personal Firewall log file:

C:\>LogParser -h -i:W3C pfirewall.log

Fields:

  LogFilename (S)	 RowNumber (I)	 date (T)		 time (T)
  action (S)			protocol (S)		src-ip (S)	 dst-ip (S)
  src-port (I)		dst-port (I)		size (I)		 tcpflags (S)
  tcpsyn (I)			tcpack (I)		tcpwin (I)	 icmptype (S)
  icmpcode (S)		info (S)

© 2004 Microsoft Corporation. All rights reserved.