Log Parser command question

TheMSsForum.com: The Microsoft Software Forum

Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
searching the Application event log on a remote server for records
which contain the keywords "NTP" and "privilege" in the Description.
The following command works fine:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%'"

What I need to do is use the WHERE clause to return records from
today's date, or a given date. Any suggestions on how I can add that
function in to the above command? Thanks in advance.
Top

Re: Log Parser command question by Matthias

Matthias
Thu Jan 27 09:38:06 CST 2005

tron9901@msn.com wrote:
> Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
> searching the Application event log on a remote server for records
> which contain the keywords "NTP" and "privilege" in the Description.
> The following command works fine:
>
> LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
> SourceName, Message FROM \\MyServer\Application WHERE Message Like
> '%NTP% %privilege%'"
>
> What I need to do is use the WHERE clause to return records from
> today's date, or a given date. Any suggestions on how I can add that
> function in to the above command? Thanks in advance.
>
Take a look at the help file LogParser.chm.

There is this example:

As another example, we might want to see all the events that have been
logged in the past 24 hours.
Translated into WHERE terms, this means that we only want to see records
whose "TimeWritten" field is greater than or equal the current local
time minus 1 day:

SELECT * FROM System
WHERE TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02', 'yyyy-MM-dd') )

HTH

--
Gruesse Greetings Saludos Saluti Salutations
Matthias
---------+---------+---------+---------+---------+---------+---------+
Top

Re: Log Parser command question by Kristofer

Kristofer
Thu Jan 27 09:49:11 CST 2005

Hi,

My answer will be based on the Log Parser 2.0 documentation.

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%' AND TimeGenerated > '2005-01-23'"

Note, the date i wrote is in a format i have. This may not be the same as
you have, so you might need to format it differently, or use the functions
available to format the date (see the documentation for more information).

--
Regards,
Kristofer Gafvert
www.gafvert.info - My Articles and help
www.ilopia.com


tron9901@msn.com wrote:

> Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
> searching the Application event log on a remote server for records
> which contain the keywords "NTP" and "privilege" in the Description.
> The following command works fine:
>
> LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
> SourceName, Message FROM \\MyServer\Application WHERE Message Like
> '%NTP% %privilege%'"
>
> What I need to do is use the WHERE clause to return records from
> today's date, or a given date. Any suggestions on how I can add that
> function in to the above command? Thanks in advance.
Top

Re: Log Parser command question by tron9901

tron9901
Thu Jan 27 11:30:12 CST 2005

AND TimeGenerated > '2005-01-23' works, although it has to include the
time in the format (yyyy-MM-dd hh:mm:ss).

So to add to my existing command the function of returning records from
today's date:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%' AND TimeGenerated > '2005-01-27 00:00:01'"

If I want records from a date range (12/1/2004 through 12/2/2004), I
would use:

AND TimeGenerated > '2004-12-01 00:00:01' AND TimeGenerated <
'2004-12-03 00:00:01'

Thanks for your help!

Top

Re: Log Parser command question by tron9901

tron9901
Thu Jan 27 11:38:00 CST 2005

AND TimeGenerated > '2005-01-23' works, although it has to include the
time in the format (yyyy-MM-dd hh:mm:ss).

So to add to my existing command the function of returning records from
today's date:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%' AND TimeGenerated > '2005-01-27 00:00:01'"

If I want records from a date range (12/1/2004 through 12/2/2004), I
would use:

AND TimeGenerated > '2004-12-01 00:00:01' AND TimeGenerated <
'2004-12-03 00:00:01'

Thanks for your help!

Top

Re: Log Parser command question by Dr

Dr
Thu Jan 27 17:22:56 CST 2005

JRS: In article <1106847011.984047.157740@f14g2000cwb.googlegroups.com>
, dated Thu, 27 Jan 2005 09:30:12, seen in news:microsoft.public.scripti
ng.vbscript, tron9901@msn.com posted :
>
>If I want records from a date range (12/1/2004 through 12/2/2004), I
>would use:
>
>AND TimeGenerated > '2004-12-01 00:00:01' AND TimeGenerated <
>'2004-12-03 00:00:01'

(a) Only if you are American
(b) and should be

AND TimeGenerated >= '2004-12-01 00:00:00' AND TimeGenerated <
'2004-12-03 00:00:00'

if you want exactly two full days.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
Top

Re: Log Parser command question by Bernard

Bernard
Tue Feb 01 23:14:53 CST 2005

Get this
http://www.amazon.com/exec/obidos/ASIN/1932266526/qid%3D1107321232/sr%3D11-1/ref%3Dsr%5F11%5F1/102-6656996-2208159

I contributed two chapters on IIS.

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



<tron9901@msn.com> wrote in message
news:1106847480.706642.190790@f14g2000cwb.googlegroups.com...
> AND TimeGenerated > '2005-01-23' works, although it has to include the
> time in the format (yyyy-MM-dd hh:mm:ss).
>
> So to add to my existing command the function of returning records from
> today's date:
>
> LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
> SourceName, Message FROM \\MyServer\Application WHERE Message Like
> '%NTP% %privilege%' AND TimeGenerated > '2005-01-27 00:00:01'"
>
> If I want records from a date range (12/1/2004 through 12/2/2004), I
> would use:
>
> AND TimeGenerated > '2004-12-01 00:00:01' AND TimeGenerated <
> '2004-12-03 00:00:01'
>
> Thanks for your help!
>


Top