segunda-feira, novembro 19, 2012

How to use LogParser for Windows

O LogParser é uma tool potente de utilização em Windows para fazer pesquisa em Logs de IIS ou outros.
Tem parametrizações especificas para vários tipos de Logs.

Sites com info:

http://technet.microsoft.com/pt-br/library/cc779255(v=ws.10).aspx
http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx
http://support.microsoft.com/kb/910447
http://en.wikipedia.org/wiki/Logparser

Exemplos vários para LogParser:

Comando LOG PARSER
==> CSV
logparser "SELECT Count(EventID) AS Contador, ComputerName, EventID, EventTypeName, to_string(TimeGenerated,'yyyy-MM-dd hh:mm') AS DateEvent, Strings  from *.evt to EventViewerVDFAPPs_v2.csv WHERE TimeGenerated > timestamp('01-03-2011', 'dd-MM-yyyy') AND Strings
like'%Fail to obtain widget menu%' GROUP BY ComputerName, EventID, EventTypeName, DateEvent, Strings ORDER BY DateEvent Desc" -o:CSV
==> XML
logparser "SELECT Count(EventID) AS Contador, ComputerName, EventID, EventTypeName, to_string(TimeGenerated,'yyyy-MM-dd hh:mm') AS DateEvent, Strings  from *.evt to EventViewerVDFAPPs_v2.xml WHERE TimeGenerated > timestamp('01-03-2011', 'dd-MM-yyyy') AND Strings
like'%exception%' GROUP BY ComputerName, EventID, EventTypeName, DateEvent,Strings ORDER BY DateEvent Desc" -o:XML


-- PPI: Comando para ficheiros log de IIS e apanhar webservices e erros 500logparser "SELECT * FROM *.log to pires500.csv WHERE TEXT LIKE '%GETGROUPGRANTEDKEYS%' AND TEXT LIKE '% 500 %' " -o:csv
logparser ComputerName, EventId, EventType, SourceName, count(*) From 'STG-ASVR-*.Application.evt' to 'EventLogResult.csv' group by computername, eventId, EventType, SourceName Order By computername, eventtype, eventid" -o:CSV
logparser "Select ComputerName,to_string(TimeGenerated,'yyyy-MM-dd') as Day, EventTypeName, count(*) From 'STG-ASVR-*.Application.evt' to 'EventLogResult.csv' group by computername, Day, EventTypeName Order By computername, Day, eventtypeName" -o:CSV

-- PPI: Obtem os dados do EventViewer para um CSV do Evento 16571 (CCSKIPS)logparser "SELECT Count(EventID) AS Contador, ComputerName, EventID, EventTypeName, to_string(TimeGenerated,'yyyy-MM-dd hh:mm') AS DateEvent from mon-asvr-*_App.evt to EventViewerMON_ASVR.csv WHERE EventID = 16571 GROUP BY ComputerName, EventID, EventTypeName,
DateEvent ORDER BY DateEvent Desc" -o:CSV
-- PPI: Obtem dados dentro de um determinado período
logparser "SELECT ComputerName, EventID, EventTypeName, Strings, to_string(TimeGenerated,'yyyy-MM-dd hh:mm') AS DateEvent from CAX-DSVR-02_App.evt WHERE TimeGenerated < timestamp('30-09-2008','dd-MM-yyyy')  AND TimeGenerated > timestamp('20-09-2008', 'dd-MM-yyyy') 
GROUP BY ComputerName, EventID, EventTypeName, Strings, DateEvent ORDER BY DateEvent Desc"
logparser "SELECT ComputerName, EventID, EventTypeName, Strings, to_string(TimeGenerated,'yyyy-MM-dd hh:mm') AS DateEvent from CAX-DSVR-02_App.evt WHERE TimeGenerated < timestamp('30-09-2008','dd-MM-yyyy')  AND TimeGenerated > timestamp('20-09-2008', 'dd-MM-yyyy') 
GROUP BY ComputerName, EventID, EventTypeName, Strings, DateEvent ORDER BY DateEvent Desc"

-- PPI: Obter dados do Strings também (sem o Enter > falta descobrir o char)logparser "SELECT ComputerName, EventID, EventTypeName, to_string(TimeGenerated,'yyyy-MM-dd hh:mm') AS DateEvent, REPLACE_CHR(Message, '£', '') AS Message from CAX-DSVR-02_App.evt to Pesquisa.csv WHERE TimeGenerated < timestamp('30-09-2008','dd-MM-yyyy')  AND
TimeGenerated > timestamp('20-09-2008', 'dd-MM-yyyy')  GROUP BY ComputerName, EventID, EventTypeName, Message, DateEvent ORDER BY DateEvent Desc" -o:CSV

-- PPI: Obter dados de servidoreslogparser "SELECT ComputerName, EventId, EventTypeName, to_string(TimeGenerated, 'yyyy-MM-dd hh:mm') AS EventDate, Count(1) as CountEvents FROM EventLog_20081015.evt where EventId = 14206 GROUP BY ComputerName, EventID, EventTypeName, EventDate ORDER BY
EventDate DESC"

-- PPI: Looking for IP
logparser "SELECT ComputerName, EventId, EventTypeName, to_string(TimeGenerated, 'yyyy-MM-dd hh:mm') AS EventDate, Count(1) as CountEvents FROM EventLog_20081015.evt where EventId = 14206 and Strings like '%10.193.219.107%' GROUP BY ComputerName, EventID,
EventTypeName, EventDate ORDER BY EventDate DESC"
logparser "SELECT ComputerName, EventId, EventTypeName, to_string(TimeGenerated, 'yyyy-MM-dd hh:mm') AS EventDate, Count(1) as CountEvents FROM EventLog_20081015.evt where EventId = 14206 and Strings not like '%10.193.219.107%' GROUP BY ComputerName, EventID,
EventTypeName, EventDate ORDER BY EventDate DESC"

-- PPI: Para um determinado EventIDlogparser "SELECT UserName, ComputerName, EventId, EventTypeName, to_string(TimeGenerated, 'yyyy-MM-dd hh:mm') AS EventDate FROM *.evt to 'EventsSFB01_12994' where EventId = 12994 ORDER BY EventDate DESC" -o:csv
logparser "SELECT ComputerName, EventId, EventTypeName, to_string(TimeGenerated, 'yyyy-MM-dd hh:mm') AS EventDate, Count(1) as CountEvents FROM *.evt to 'EventsSFB01_12994' where EventId = 12994 GROUP BY ComputerName, EventID, EventTypeName, EventDate ORDER BY
EventDate DESC" -o:csv

-- PPI: Para obter uma lista em XML de uma determinada string em Logs de IISLogParser -i:TEXTLINE "SELECT * FROM \\Alfr-log-01\LogsConsolidation\Repository\W3C3\*.log WHERE Text like '%PromoFriends.jpg%'" -o:xml > C:\Oper\LogParser\WIDGETS\PromoFriends2.xml
on

Sem comentários:

Enviar um comentário

Subscrever: Enviar feedback (Atom)