JavaScript appears to be disabled. We recommend you enable JavaScript while visiting this site.
Queries to help you analyze logs
The following queries can be run with Log Parser. In every case (except if noted) the FROM and INTO statements should be modified based on your needs.
Query suggestions or questions are welcome, and can be email to strivinglife [at] gmail dot com.
logparser -rtp:-1 "SELECT cs-uri-stem, cs-uri-query, date, sc-status, cs(Referer) INTO 200sReport.txt FROM ex0902*.log WHERE (sc-status >= 200 AND sc-status < 300) ORDER BY sc-status, date, cs-uri-stem, cs-uri-query"logparser -rtp:-1 "SELECT cs-uri-stem, cs-uri-query, date, sc-status, cs(Referer) INTO 300sReport.txt FROM ex0902*.log WHERE (sc-status >= 300 AND sc-status < 400) ORDER BY sc-status, date, cs-uri-stem, cs-uri-query"logparser -rtp:-1 "SELECT cs-uri-stem, cs-uri-query, date, sc-status, cs(Referer) INTO 400sReport.txt FROM ex0811*.log WHERE (sc-status >= 400 AND sc-status < 500) ORDER BY sc-status, date, cs-uri-stem, cs-uri-query"logparser -rtp:-1 "SELECT cs-uri-stem, cs-uri-query, date, sc-status, cs(Referer) INTO 400sReport.txt FROM ex0811*.log WHERE (sc-status BETWEEN 400 AND 499) ORDER BY sc-status, date, cs-uri-stem, cs-uri-query"logparser -rtp:-1 "SELECT cs-uri-stem, cs-uri-query, date, sc-status, cs(Referer) INTO 500sReport.txt FROM ex0811*.log WHERE (sc-status >= 500 AND sc-status < 600) ORDER BY sc-status, date, cs-uri-stem, cs-uri-query"logparser -rtp:-1 "SELECT date, SUM(cs-bytes) AS [Bytes received], DIV(SUM(cs-bytes), 1024) AS [KBytes received], DIV(DIV(SUM(cs-bytes), 1024), 1024) AS [MBytes received], SUM(sc-bytes) AS [Bytes sent], DIV(SUM(sc-bytes), 1024) AS [KBytes sent], DIV(DIV(SUM(sc-bytes), 1024), 1024) AS [MBytes sent], COUNT(*) AS Requests INTO Bandwidth.txt FROM ex0811*.log GROUP BY date ORDER BY date"logparser -i:iisw3c -rtp:-1 "SELECT DISTINCT TO_LOWERCASE(cs-uri-stem) AS [Url], COUNT(*) AS [Requests], AVG(sc-bytes) AS [AvgBytes], SUM(sc-bytes) AS [Bytes sent] INTO Bandwidth.txt FROM ex0909*.log GROUP BY [Url] HAVING [Requests] >= 20 ORDER BY [Bytes sent] DESC"logparser -rtp:-1 "SELECT cs(User-Agent) AS Browser, COUNT(*) AS Requests INTO BrowserReport.txt FROM ex0811*.log GROUP BY Browser ORDER BY Requests DESC"logparser -rtp:-1 "SELECT STRLEN(cs(Cookie)) AS [CookieLength], c-ip, COUNT(*) AS [Requests], cs(Cookie) INTO CookieLengths.txt FROM ex0910*.log WHERE cs(cookie) IS NOT null GROUP BY cs(Cookie), c-ip, [CookieLength] ORDER BY [CookieLength] DESC"logparser -rtp:-1 "SELECT EXTRACT_EXTENSION(cs-uri-stem) AS [File Type], DIV(SUM(sc-bytes), 1024) AS [Sent (KB)], DIV(SUM(cs-bytes), 1024) AS [Received (KB)] INTO FileTypeDataSentRec.txt FROM ex0812*.log GROUP BY [File Type] ORDER BY [File Type]"logparser -rtp:-1 "SELECT EXTRACT_TOKEN(cs(Referer), 2, '/') AS [Domain], COUNT(*) AS [Requests] INTO ReferringDomains.txt FROM ex0902*.log GROUP BY [Domain] ORDER BY [Requests] DESC"logparser -rtp:-1 -i:TEXTLINE -o:W3C "SELECT SUBSTR(Text, 1, SUB(INDEX_OF(Text, ')'), 1)) AS RequestNumber, TO_TIMESTAMP(TRIM(SUBSTR(Text, ADD(INDEX_OF(Text, ')'), 1), SUB(INDEX_OF(Text, '-'), ADD(INDEX_OF(Text, ')'), 4)))), 'M/d/yyyy?H:mm:ss') AS DateTime, TRIM(SUBSTR(TRIM(SUBSTR(Text, ADD(INDEX_OF(Text, '-'), 1), SUB(INDEX_OF(Text, '>'), ADD(INDEX_OF(Text, '-'), 1)))), 0, LAST_INDEX_OF(TRIM(SUBSTR(Text, ADD(INDEX_OF(Text, '-'), 1), SUB(INDEX_OF(Text, '>'), ADD(INDEX_OF(Text, '-'), 1)))), '('))) AS User, SUBSTR(TRIM(SUBSTR(Text, ADD(INDEX_OF(Text, '-'), 1), SUB(INDEX_OF(Text, '>'), ADD(INDEX_OF(Text, '-'), 1)))), ADD(LAST_INDEX_OF(TRIM(SUBSTR(Text, ADD(INDEX_OF(Text, '-'), 1), SUB(INDEX_OF(Text, '>'), ADD(INDEX_OF(Text, '-'), 1)))), '('), 1), SUB(LAST_INDEX_OF(TRIM(SUBSTR(Text, ADD(INDEX_OF(Text, '-'), 1), SUB(INDEX_OF(Text, '>'), ADD(INDEX_OF(Text, '-'), 1)))), ')'), ADD(LAST_INDEX_OF(TRIM(SUBSTR(Text, ADD(INDEX_OF(Text, '-'), 1), SUB(INDEX_OF(Text, '>'), ADD(INDEX_OF(Text, '-'), 1)))), '('), 1))) AS IpAddress, SUBSTR(Text, ADD(INDEX_OF(Text, '>'), 2), SUB(STRLEN(Text), INDEX_OF(Text, '>'))) AS Request INTO FileZilla.log FROM fzs-*.log WHERE Text LIKE '(%' AND Request NOT LIKE 'Connected,%' AND Request NOT LIKE '221 %' AND Request NOT LIKE 'disconnected%' AND Request NOT LIKE 'QUIT%'"logparser -o:chart -chartType:Pie -chartTitle:"Status as Percent of Requests" "SELECT sc-status AS [HTTP Status Code], COUNT(*) AS Requests INTO HttpStatusCodePieChart.png FROM ex0811*.log GROUP BY [HTTP Status Code] ORDER BY Requests DESC"logparser -rtp:-1 "SELECT sc-status AS [HTTP Status Code], COUNT(*) AS Requests INTO HttpStatusCodes.txt FROM ex0811*.log GROUP BY [HTTP Status Code] ORDER BY Requests DESC"logparser -rtp:-1 "SELECT sc-status, COUNT(*) AS [Requests], MUL(PROPCOUNT(*), 100) AS [Percentage] FROM ex0902*.log GROUP BY sc-status"logparser -rtp:-1 "SELECT c-ip, COUNT(*) AS [Requests] INTO PostRequests.txt FROM ex0910*.log WHERE cs-method = 'POST' GROUP BY c-ip ORDER BY [Requests] DESC"logparser -rtp:-1 -o:w3c "SELECT c-ip, COUNT(*) AS [Requests] INTO QueryParams-1c.log FROM ex0910*.log WHERE cs-uri-query IS NOT null and STRCNT(TO_LOWERCASE(cs-uri-query), 'http://') > 0 GROUP BY c-ip ORDER BY [Requests] DESC"logparser -rtp:-1 -o:w3c "SELECT cs-uri-query, COUNT(*) AS [Requests] INTO QueryParams-1b.log FROM ex0910*.log WHERE cs-uri-query IS NOT null GROUP BY cs-uri-query ORDER BY cs-uri-query"logparser -rtp:-1 -o:w3c "SELECT cs-uri-query, COUNT(*) AS [Requests], c-ip INTO QueryParams-1a.log FROM ex0910*.log WHERE cs-uri-query IS NOT null GROUP BY cs-uri-query, c-ip ORDER BY cs-uri-query"logparser -rtp:-1 "SELECT EXTRACT_EXTENSION(cs-uri-stem) AS [File Type], COUNT(*) AS [Requests] INTO FileTypeRequests.txt FROM ex0812*.log GROUP BY [File Type] ORDER BY [Requests] DESC"logparser -rtp:-1 "SELECT TO_STRING(time, 'hh') AS [Hour], COUNT(*) AS [Requests], MUL(PROPCOUNT(*), 100) AS [PercentOfTotal] INTO HourlyReport.txt FROM ex0902*.log GROUP BY [Hour] ORDER BY [Hour]"logparser -rtp:-1 "SELECT TO_TIME(TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time), 3600))) AS [Hour], COUNT(*) AS [Requests], MUL(PROPCOUNT(*), 100) AS [PercentOfTotal] INTO HourlyReport.txt FROM ex0902*.log GROUP BY [Hour] ORDER BY [Hour]"logparser -rtp:-1 "SELECT TO_LOCALTIME(QUANTIZE(TO_TIMESTAMP(date, time), 3600)) AS [DateTime], COUNT(*) AS [Requests] INTO HourlyDayReport.txt FROM ex0902*.log GROUP BY [DateTime] ORDER BY [DateTime]"logparser -i:iisw3c -o:csv "SELECT ADD(DIV(QUANTIZE(time-taken, 1000), 1000), 1) AS [Seconds], COUNT(*) AS [Requests] INTO RequestProcessingTimes.csv FROM ex0906*.log GROUP BY [Seconds] ORDER BY [Seconds] DESC"logparser -rtp:-1 -i:iisw3c "SELECT ADD(DIV(QUANTIZE(time-taken,1000),1000),1) AS [Seconds], COUNT(*) AS [Requests], MUL(PROPCOUNT(*),100) AS [Percent] INTO RequestTimes.txt FROM ex0103*.log GROUP BY [Seconds] ORDER BY [Seconds]"logparser -rtp:-1 "SELECT TO_STRING(TO_LOCALTIME(TO_TIMESTAMP(date, time)), 'yyyy-MM-dd') AS [Day], COUNT(*) AS [Requests] INTO DayReport.txt FROM ex0103*.log GROUP BY [Day] ORDER BY [Day]"logparser -rtp:-1 "SELECT COUNT(*) AS [Requests], DIV(DIV(SUM(cs-bytes), 1024), 1024) AS [MBytes received], DIV(DIV(SUM(sc-bytes), 1024), 1024) AS [MBytes sent], c-ip AS [IP Address], cs(User-Agent) AS [User agent], MAX(date) AS [Last visit] INTO IpAddress.txt FROM ex0811*.log GROUP BY [IP Address], [User agent] ORDER BY [Requests] DESC"