W3C Input Format Fields
The structure of the input records generated by the W3C input format is determined at run time, depending on the input data.
The first two input record fields are fixed, and they are described in the following table:
| Name | Type | Description |
|---|---|---|
| LogFilename | STRING | Full path of the log file containing this entry |
| RowNumber | INTEGER | Line in the log file containing this entry |
The data type of each field extracted from the input data is determined by examining the first n log entries, where n is the value specified for the dtLines parameter, in the following way:
- If all the non-empty field values in the first n log entries are formatted as decimal numbers, then the field is assumed to be of the REAL type.
- If all the non-empty field values in the first n log entries are formatted as integer numbers, then the field is assumed to be of the INTEGER type.
- If all the non-empty field values in the first n log entries are formatted as timestamps in the "yyyy-MM-dd hh:mm:ss" format, then the field is assumed to be of the TIMESTAMP type. In particular, if a field value is formatted as a date in the "yyyy-MM-dd" format, then the value is returned as a date-only TIMESTAMP value. If the field value is formatted as a time of day in the "hh:mm:ss" format, then the value is returned as a time-only TIMESTAMP value.
- Otherwise, the field is assumed to be of the STRING type.
Empty values, represented by a hyphen (-) in the W3C Extended Log File Format, are returned as NULL values.
As an example, the following help command displays the input record structure determined by the W3C input format when parsing the specified Personal Firewall log file:
C:\>LogParser -h -i:W3C pfirewall.logThe structure displayed by this help command will be:
Fields: LogFilename (S) RowNumber (I) date (T) time (T) action (S) protocol (S) src-ip (S) dst-ip (S) src-port (I) dst-port (I) size (I) tcpflags (S) tcpsyn (I) tcpack (I) tcpwin (I) icmptype (S) icmpcode (S) info (S)