LogParser - Tips and Tricks - Search for all the fieldnames available for a given input type

Sometimes while querying using LogParser, you might not be able to recall the field names and what they actually mean. Say for example, you are planning to analyze an IIS log file and you are not able to recall what is the field name for the column which tells you the Querystring that was used while accessing a page.

Here is what I would normally do to find out what exactly I am looking for...

Open Log Parser Help file which comes along with the installation. Now, go the "Search Tab" and type the following WITH/INCLUDING Quotes "IISW3C Input Format Fields". If you are looking for HTTPErr fields, just replace IISW3C with HTTPErr like... "HTTPERR Input Format Fields" and hit Enter.

Say, you remember each field's meaning but forgot the name of the field, here is what you can do from the command line to find out what are the fields supported for the specific Input type.

logparser -h -i:IISW3C

Go to the "Fields" section and look out for the Field which you were searching for! Here is what was displayed for the above command.

Fields:
  LogFilename (S)             LogRow (I)                  date (T)
  time (T)                    c-ip (S)                    cs-username (S)
  s-sitename (S)              s-computername (S)          s-ip (S)
  s-port (I)                  cs-method (S)               cs-uri-stem (S)
  cs-uri-query (S)            sc-status (I)               sc-substatus (I)
  sc-win32-status (I)         sc-bytes (I)                cs-bytes (I)
  time-taken (I)              cs-version (S)              cs-host (S)
  cs(User-Agent) (S)          cs(Cookie) (S)              cs(Referer) (S)
  s-event (S)                 s-process-type (S)          s-user-time (R)
  s-kernel-time (R)           s-page-faults (I)           s-total-procs (I)
  s-active-procs (I)          s-stopped-procs (I)

From the Help file I found the following about cs-uri-query
cs-uri-query - The HTTP request uri-query, or NULL if the requested URI did not include a uri-query 

Knowing these things will definitely help you to frame more robust queries using the Logparser.

Hope that helps!
Rahul

Comments

• Anonymous
  February 12, 2008
  PingBack from http://paxoblog.wordpress.com/2008/02/12/links-for-2008-02-12/

• Anonymous
  March 27, 2008
  Rahul, thanks for your entries on LogParser. I'm a fellow fan. Related to the challenge you describe above of finding available columns to query, note also that if you're pointing at some non-standard log file, where the -h won't tell you its available built-in columns, you can ask logparser to tell you the available columns by adding -queryinfo to the command. This can be especially valuable when there's some problem with the specification of the logfile to be read and perhaps an error/mistake has kept it finding the columns you think it should have found.

• Anonymous
  March 27, 2008
  Thanks for sharing that Charlie! I wasn't aware of it and I am sure it could be helpful.