Query Execution Mode

"Query Execution Mode" is the default operational mode of the Log Parser command-line executable.
In this mode, Log Parser is used to execute queries reading input records from an input format and writing output records to an output format.

The general syntax of commands in query execution mode is:

LogParser [ -i:<input_format> ] [ <input_format_options> ] [ -o:<output_format> ] [ <output_format_options> ] <SQL query> | file:<query_filename>[?param1=value1+...] [ <global_switches> ] [ -queryInfo ]
-i:<input_format>
Specifies the input format for the query.
The "-i:" switch is followed by the name of the selected input format, as in the following example:
C:\>LogParser -i:IISW3C "SELECT * FROM extend1.log"
When an input format is not specified, Log Parser will attempt to select automatically an input format upon inspection of the <from-entity> in the FROM clause. For example, "System" suggests the use of the EVT Input Format, while "ex040302.log" suggests the use of the IISW3C Input Format.
If the <from-entity> does not suggest a specific input format, the TextLine Input Format will be selected by default.
<input_format_options>
Specify values for input format parameters.
These are entered as switches with names matching the input format's parameter names, followed by a colon and by the value for the parameter, as in the following examples:
C:\>LogParser -i:IISW3C -iCodepage:932 -iCheckpoint:MyCheckpoint.lpc "SELECT * FROM extend1.log" 
C:\>LogParser -i:EVT -binaryFormat:ASC "SELECT * FROM System" 
Parameter values containing spaces must be enclosed within double-quote characters ("), as in the following example:
C:\>LogParser -i:EVT -stringsSep:"MY SEPARATOR" "SELECT * FROM System" 
For more information on input format parameters, refer to the Input Format Reference.
-o:<output_format>
Specifies the output format for the query.
The "-o:" switch is followed by the name of the selected output format, as in the following example:
C:\>LogParser -o:CSV "SELECT * FROM System"
When an output format is not specified, Log Parser will attempt to select automatically an output format upon inspection of the <into-entity> in the INTO clause. For example, "chart.gif" suggests the use of the CHART Output Format, while "MyFile.csv" suggests the use of the CSV Output Format.
If the <into-entity> does not suggest a specific output format, or the query does not specify an INTO clause, the NAT Output Format will be selected by default.
<output_format_options>
Specify values for output format parameters.
These are entered as switches with names matching the output format's parameter names, followed by a colon and by the value for the parameter, as in the following examples:
C:\>LogParser -o:NAT -rtp:-1 -fileMode:1 "SELECT * FROM System" 
C:\>LogParser -o:CSV -tabs:ON "SELECT * FROM System" 
Parameter values containing spaces must be enclosed within double-quote characters ("), as in the following example:
C:\>LogParser -o:CHART -chartTitle:"Page Hits per Day" "SELECT date, COUNT(*) FROM extend1.log GROUP BY date" 
For more information on output format parameters, refer to the Output Format Reference.
<SQL query>
Specifies the text of the Log Parser SQL-Like query.
Since a query always contains spaces, the text of the query must be enclosed within double-quote characters ("), as in the following example:
C:\>LogParser "SELECT * FROM System"
Alternatively, a query can be specified through a text file with the "file:" switch, as shown in the next section.
Commands containing both a query text argument and a "file:" switch are considered illegal and return an error.
file:<query_filename>[?param1=value1+...]
Specifies the name of a text file containing a Log Parser SQL-Like query.
The text file specified must contain a valid query in the Log Parser SQL-Like language. Multiple spaces, comments, and new-line characters in the text file are ignored, allowing the query text to be formatted as desired for readability.
The following example shows an example content of a query text file:
SELECT   TimeGenerated,
		 EXTRACT_TOKEN(ResolvedSid, 1, '\\') AS Username -- only the 'username' portion
/* We want to retrieve the full user name
*/
USING	RESOLVE_SID(Sid) AS ResolvedSid
FROM	 Security
The following example shows how the query is executed, assuming that the query text has been saved to a file named "MyQuery.sql":
C:\>LogParser -i:EVT file:Myquery.sql
Query text files can include parameters, which are substituted at runtime with user-supplied text or environment variable values.
Parameters are user-defined names in the query text enclosed within percent characters (%), such as "%MyParameter%".
When issuing a Log Parser command to execute a query text file containing parameters, users can specify the values of the parameters by appending the question-mark character (?) to the query filename, followed by a list of pairs in the form of "parameter_name=parameter_value", separated by the plus character (+).
For example, the following query contains two parameters:
SELECT EventID
FROM   %InputEventLog%
WHERE  SourceName = '%InputSourceName%'
The following example command executes the query substituting user-supplied values for the parameters:
C:\>LogParser -i:EVT file:Myquery.sql?InputEventLog=System+InputSourceName=EventLog
If a parameter name or value contains spaces, the name or value must be enclosed within double-quote characters ("), as in the following example:
C:\>LogParser -i:EVT file:Myquery.sql?InputEventLog=System+InputSourceName="Service Control Manager"
If the value of a query text file parameter is not supplied by the user, Log Parser will search for the parameter name in the current environment variable set. If an environment variable is found matching the parameter name, its value will be substituted for the parameter; otherwise, the parameter name is left as-is in the query text.

The text of the query can also be specified directly as a command-line argument, as shown in the previous section.
Commands containing both a query text argument and a "file:" switch are considered illegal and return an error.

<global_switches>
Global switches control overall behaviors of the command, such as error handling and command statistics verbosity.
For more information on global switches, refer to the Global Switches Reference.
-queryInfo
Displays diagnostic information about the command.
When "-queryInfo" is specified, the command is not executed, and the following diagnostic information is displayed to the console window: This information can be used to troubleshoot a variety of problems, including unexpected query execution results, and query parameter subtitution.

The following example uses the "-queryInfo" switch to display diagnostic information about the specified command:

C:\>LogParser "SELECT TO_UTCTIME(TimeGenerated) AS UTCTimeGenerated, SourceName FROM System WHERE EventID > 20" -queryInfo
The output of this command is:
Query:
 SELECT TO_UTCTIME([TimeGenerated]) AS UTCTimeGenerated, [SourceName]
 FROM System
 WHERE [EventID] > ANY (20)

Formats selected:
 Input format:  EVT (Windows Event Log)
 Output format: NAT (Native Format)

Query fields:
  UTCTimeGenerated (T)			SourceName (S)

See also:

Command-Line Operation Reference
Global Switches Reference
Commands and Queries

© 2004 Microsoft Corporation. All rights reserved.