Multiplexing Output Records

Log Parser

Multiplexing Output Records

Many Log Parser output formats allow the user to specify multiple files as the target to which output records are written to.
This is achieved by using '*' wildcard characters in the filename specified in the INTO clause; during the execution of the query, the first fields in each output record substitute the wildcard characters to determine the resulting filename to which the output records with the remaining fields are written.
In other words, this feature allows output records to be multiplexed to different target files depending on the values of the first fields in the output record.

To make an example, let's assume that we want to query the Windows Event Log, and for each event source name, we want to create a CSV text file containing all the distinct event ID's generated by that source name.
The command would look like the following example:

LogParser "SELECT DISTINCT SourceName, EventID INTO Event_*.csv FROM System" -i:EVT -o:CSV
For each output record generated by this query, the "SourceName" field will be used to substitute the wildcard in the target filename, and the "EventID" field will be written to the CSV file with the resulting file name.
After the command execution is complete, we will have as many CSV output files as the number of different event source names:
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 49B5-4736

 Directory of C:

07/19/2004  08:56 AM    <DIR>          .
07/19/2004  08:56 AM    <DIR>          ..
07/19/2004  08:56 AM                13 Event_Application Popup.csv
07/19/2004  08:56 AM                14 Event_Ati HotKey Poller.csv
07/19/2004  08:56 AM                23 Event_DCOM.csv
07/19/2004  08:56 AM                33 Event_Dhcp.csv
07/19/2004  08:56 AM                23 Event_DnsApi.csv
07/19/2004  08:56 AM                27 Event_EventLog.csv
07/19/2004  08:56 AM                12 Event_GEMPCC.csv
07/19/2004  08:56 AM                13 Event_i8042prt.csv
07/19/2004  08:56 AM                16 Event_Kerberos.csv
07/19/2004  08:56 AM                15 Event_NETLOGON.csv
07/19/2004  08:56 AM                15 Event_NtServicePack.csv
07/19/2004  08:56 AM                13 Event_Print.csv
07/19/2004  08:56 AM                23 Event_RemoteAccess.csv
07/19/2004  08:56 AM                14 Event_SCardSvr.csv
07/19/2004  08:56 AM                39 Event_Service Control Manager.csv
07/19/2004  08:56 AM                21 Event_Tcpip.csv
07/19/2004  08:56 AM                29 Event_W32Time.csv
07/19/2004  08:56 AM                14 Event_Win32k.csv
07/19/2004  08:56 AM                15 Event_Workstation.csv
              19 File(s)            372 bytes
               2 Dir(s)  34,340,712,448 bytes free
Each CSV file will contain the distinct event ID's generated by the event source:
C:\>type Event_Tcpip.csv
EventID
4201
4202

There is no limit on the number of wildcard characters that can be used in the target filenames.
We can modify the example above to generate a directory for each event source name, and for each event ID generated by the source, a CSV file containing the number of events logged with that ID:

LogParser "SELECT SourceName, EventID, COUNT(*) AS Total INTO *\ID_*.csv FROM System GROUP BY SourceName, EventID" -i:EVT -o:CSV
After the command execution is complete, we will have as many directories as the number of different event source names:
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 49B5-4736

 Directory of C:

07/19/2004  09:08 AM    <DIR>          .
07/19/2004  09:08 AM    <DIR>          ..
07/19/2004  09:08 AM    <DIR>          Application Popup
07/19/2004  09:08 AM    <DIR>          Ati HotKey Poller
07/19/2004  09:08 AM    <DIR>          DCOM
07/19/2004  09:08 AM    <DIR>          Dhcp
07/19/2004  09:08 AM    <DIR>          DnsApi
07/19/2004  09:08 AM    <DIR>          EventLog
07/19/2004  09:08 AM    <DIR>          GEMPCC
07/19/2004  09:08 AM    <DIR>          i8042prt
07/19/2004  09:08 AM    <DIR>          Kerberos
07/19/2004  09:08 AM    <DIR>          NETLOGON
07/19/2004  09:08 AM    <DIR>          NtServicePack
07/19/2004  09:08 AM    <DIR>          Print
07/19/2004  09:08 AM    <DIR>          RemoteAccess
07/19/2004  09:08 AM    <DIR>          SCardSvr
07/19/2004  09:08 AM    <DIR>          Service Control Manager
07/19/2004  09:08 AM    <DIR>          Tcpip
07/19/2004  09:08 AM    <DIR>          W32Time
07/19/2004  09:08 AM    <DIR>          Win32k
07/19/2004  09:08 AM    <DIR>          Workstation
               0 File(s)              0 bytes
              21 Dir(s)  34,340,712,448 bytes free
Each directory will contain as many CSV output files as the number of different event ID's logged by the event source:
C:\>dir DCOM
 Volume in drive C has no label.
 Volume Serial Number is 49B5-4736

 Directory of C:\DCOM

07/19/2004  09:08 AM    <DIR>          .
07/19/2004  09:08 AM    <DIR>          ..
07/19/2004  09:08 AM                10 ID_10002.csv
07/19/2004  09:08 AM                10 ID_10010.csv
Each CSV output file will contain the number of events logged with the event ID:
C:\>type DCOM\ID_10010.csv
Total
2

Following is a list of the output formats that support the "multiplex" feature:


© 2004 Microsoft Corporation. All rights reserved.