Query Execution Mode
"Query Execution Mode" is the default operational mode of the Log Parser
command-line executable.
In this mode, Log Parser is used to execute queries reading input records from an input
format and writing output records to an output format.
The general syntax of commands in query execution mode is:
LogParser |
|
- -i:<input_format>
-
Specifies the input format for the query.
The "-i:" switch is followed by the name of the selected input format, as in the following example:C:\>LogParser -i:IISW3C "SELECT * FROM extend1.log"
When an input format is not specified, Log Parser will attempt to select automatically an input format upon inspection of the <from-entity> in the FROM clause. For example, "System" suggests the use of the EVT Input Format, while "ex040302.log" suggests the use of the IISW3C Input Format.
If the <from-entity> does not suggest a specific input format, the TextLine Input Format will be selected by default. - <input_format_options>
-
Specify values for input format parameters.
These are entered as switches with names matching the input format's parameter names, followed by a colon and by the value for the parameter, as in the following examples:C:\>LogParser -i:IISW3C -iCodepage:932 -iCheckpoint:MyCheckpoint.lpc "SELECT * FROM extend1.log"
C:\>LogParser -i:EVT -binaryFormat:ASC "SELECT * FROM System"
Parameter values containing spaces must be enclosed within double-quote characters ("), as in the following example:C:\>LogParser -i:EVT -stringsSep:"MY SEPARATOR" "SELECT * FROM System"
For more information on input format parameters, refer to the Input Format Reference. - -o:<output_format>
-
Specifies the output format for the query.
The "-o:" switch is followed by the name of the selected output format, as in the following example:C:\>LogParser -o:CSV "SELECT * FROM System"
When an output format is not specified, Log Parser will attempt to select automatically an output format upon inspection of the <into-entity> in the INTO clause. For example, "chart.gif" suggests the use of the CHART Output Format, while "MyFile.csv" suggests the use of the CSV Output Format.
If the <into-entity> does not suggest a specific output format, or the query does not specify an INTO clause, the NAT Output Format will be selected by default. - <output_format_options>
-
Specify values for output format parameters.
These are entered as switches with names matching the output format's parameter names, followed by a colon and by the value for the parameter, as in the following examples:C:\>LogParser -o:NAT -rtp:-1 -fileMode:1 "SELECT * FROM System"
C:\>LogParser -o:CSV -tabs:ON "SELECT * FROM System"
Parameter values containing spaces must be enclosed within double-quote characters ("), as in the following example:C:\>LogParser -o:CHART -chartTitle:"Page Hits per Day" "SELECT date, COUNT(*) FROM extend1.log GROUP BY date"
For more information on output format parameters, refer to the Output Format Reference. - <SQL query>
-
Specifies the text of the Log Parser SQL-Like query.
Since a query always contains spaces, the text of the query must be enclosed within double-quote characters ("), as in the following example:C:\>LogParser "SELECT * FROM System"
Alternatively, a query can be specified through a text file with the "file:" switch, as shown in the next section.
Commands containing both a query text argument and a "file:" switch are considered illegal and return an error. - file:<query_filename>[?param1=value1+...]
-
Specifies the name of a text file containing a Log Parser SQL-Like query.
The text file specified must contain a valid query in the Log Parser SQL-Like language. Multiple spaces, comments, and new-line characters in the text file are ignored, allowing the query text to be formatted as desired for readability.
The following example shows an example content of a query text file:SELECT TimeGenerated, EXTRACT_TOKEN(ResolvedSid, 1, '\\') AS Username -- only the 'username' portion /* We want to retrieve the full user name */ USING RESOLVE_SID(Sid) AS ResolvedSid FROM Security
The following example shows how the query is executed, assuming that the query text has been saved to a file named "MyQuery.sql":C:\>LogParser -i:EVT file:Myquery.sql
Query text files can include parameters, which are substituted at runtime with user-supplied text or environment variable values.
Parameters are user-defined names in the query text enclosed within percent characters (%), such as "%MyParameter%".
When issuing a Log Parser command to execute a query text file containing parameters, users can specify the values of the parameters by appending the question-mark character (?) to the query filename, followed by a list of pairs in the form of "parameter_name=parameter_value", separated by the plus character (+).
For example, the following query contains two parameters:SELECT EventID FROM %InputEventLog% WHERE SourceName = '%InputSourceName%'
The following example command executes the query substituting user-supplied values for the parameters:C:\>LogParser -i:EVT file:Myquery.sql?InputEventLog=System+InputSourceName=EventLog
If a parameter name or value contains spaces, the name or value must be enclosed within double-quote characters ("), as in the following example:C:\>LogParser -i:EVT file:Myquery.sql?InputEventLog=System+InputSourceName="Service Control Manager"
If the value of a query text file parameter is not supplied by the user, Log Parser will search for the parameter name in the current environment variable set. If an environment variable is found matching the parameter name, its value will be substituted for the parameter; otherwise, the parameter name is left as-is in the query text.The text of the query can also be specified directly as a command-line argument, as shown in the previous section.
Commands containing both a query text argument and a "file:" switch are considered illegal and return an error. - <global_switches>
-
Global switches control overall behaviors of the command, such as error handling and
command statistics verbosity.
For more information on global switches, refer to the Global Switches Reference. - -queryInfo
-
Displays diagnostic information about the command.
When "-queryInfo" is specified, the command is not executed, and the following diagnostic information is displayed to the console window:- The text of the provided query, after being parsed and interpreted by the Log Parser SQL-Like engine core;
- Names of the input and output formats selected;
- Structure of the query output records, including field names and field data types.
The following example uses the "-queryInfo" switch to display diagnostic information about the specified command:
C:\>LogParser "SELECT TO_UTCTIME(TimeGenerated) AS UTCTimeGenerated, SourceName FROM System WHERE EventID > 20" -queryInfo
The output of this command is:Query: SELECT TO_UTCTIME([TimeGenerated]) AS UTCTimeGenerated, [SourceName] FROM System WHERE [EventID] > ANY (20) Formats selected: Input format: EVT (Windows Event Log) Output format: NAT (Native Format) Query fields: UTCTimeGenerated (T) SourceName (S)
See also:
Command-Line Operation ReferenceGlobal Switches Reference
Commands and Queries