Records

Log Parser

Records

Log Parser queries operate on records from an Input Format. Records are equivalent to rows in a SQL table, and Input Formats are equivalent to SQL tables containing the rows (data) you want to process.

Fields and Data Types

Each record generated by an Input Format is made up of a fixed number of fields (the columns in a SQL table), and each field is assigned a specific name and a specific data type; the data types supported by Log Parser are:

Fields in a record can only contain values of the data type assigned to the field or, when the data for that field is not available, the NULL value.

For example, let's consider the EVT Input Format, which produces a record for each event in the Windows Event Log.
Using the command-line executable, we can discover the structure of the records provided by this Input Format by typing the following help command:

C:\>LogParser -h -i:ETW
The output of this command gives a detailed overview of the EVT Input Format, including a "Fields" section describing the structure of the records produced:
Fields:
  EventLog (S)              RecordNumber (I)          TimeGenerated (T)
  TimeWritten (T)           EventID (I)               EventType (I)
  EventTypeName (S)         EventCategory (I)         EventCategoryName (S)
  SourceName (S)            Strings (S)               ComputerName (S)
  SID (S)                   Message (S)               Data (S)
From the output above, we understand that each record is made up of 15 fields, and that, for instance, the fourth field of each record is named "TimeWritten" and always contains values of the TIMESTAMP data type.


Record Structure

Some Input Formats have a fixed structure for their records (like the EVT Input Format used in the example above, or the FS Input Format), but others can have different structures depending on the values specified for their parameters or on the files being parsed.

For instance, the NETMON Input Format, which parses NetMon capture files, has a parameter ("fMode") that can be used to specify how the records should be structured. We can see the different structures when we add this parameter to the help command for the NETMON format. The first example shows the fields exported by the NETMON Input Format when its "field mode" is set to "TCPIP" (each record is a single TCP/IP packet), and the second example shows the fields exported by the NETMON Input Format when its "field mode" is set to "TCPConn" (each record is a full TCP connection):

C:\>LogParser -h -i:NETMON -fMode:TCPIP

Fields:
 CaptureFilename (S)    Frame (I)      DateTime (T)      FrameBytes (I)
 SrcMAC (S)             SrcIP (S)      SrcPort (I)       DstMAC (S)
 DstIP (S)              DstPort (I)    IPVersion (I)     TTL (I)
 TCPFlags (S)           Seq (I)        Ack (I)           WindowSize (I)
 PayloadBytes (I)       Payload (S)    Connection (I)

C:\>LogParser -h -i:NETMON -fMode:TCPConn

Fields:
 CaptureFilename (S)          StartFrame (I)          EndFrame (I)
 Frames (I)                   DateTime (T)            TimeTaken (I)
 SrcMAC (S)                   SrcIP (S)               SrcPort (I)
 SrcPayloadBytes (I)          SrcPayload (S)          DstMAC (S)
 DstIP (S)                    DstPort (I)             DstPayloadBytes (I)
 DstPayload (S)


As another example, the CSV Input Format, which parses text files containing comma-separated values, creates its own structure by inspecting the input file for field names and types.
When using the help command with the CSV Input Format, the "Fields" section shows no information on the record structure:

C:\>LogParser -h -i:CSV

Fields:
 Field names and types are retrieved at runtime from the specified input file(s)
However, when we supply the name of a CSV file that, for instance, contains 2 fields ("LogDate" and "Message"), then we can see the structure of the records produced when parsing that file:
C:\>LogParser -h -i:CSV log.csv

Fields:
 Filename (S)       RowNumber (I)       LogDate (T)       Message (S)


© 2004 Microsoft Corporation. All rights reserved.