Log Parser command question

  • Thread starter Thread starter tron9901
  • Start date Start date
T

tron9901

Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
searching the Application event log on a remote server for records
which contain the keywords "NTP" and "privilege" in the Description.
The following command works fine:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%'"

What I need to do is use the WHERE clause to return records from
today's date, or a given date. Any suggestions on how I can add that
function in to the above command? Thanks in advance.
 
Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
searching the Application event log on a remote server for records
which contain the keywords "NTP" and "privilege" in the Description.
The following command works fine:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%'"

What I need to do is use the WHERE clause to return records from
today's date, or a given date. Any suggestions on how I can add that
function in to the above command? Thanks in advance.
Click to expand...
Take a look at the help file LogParser.chm.

There is this example:

As another example, we might want to see all the events that have been
logged in the past 24 hours.
Translated into WHERE terms, this means that we only want to see records
whose "TimeWritten" field is greater than or equal the current local
time minus 1 day:

SELECT * FROM System
WHERE TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02', 'yyyy-MM-dd') )

HTH
 
Hi,

My answer will be based on the Log Parser 2.0 documentation.

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%' AND TimeGenerated > '2005-01-23'"

Note, the date i wrote is in a format i have. This may not be the same as
you have, so you might need to format it differently, or use the functions
available to format the date (see the documentation for more information).
 
AND TimeGenerated > '2005-01-23' works, although it has to include the
time in the format (yyyy-MM-dd hh:mm:ss).

So to add to my existing command the function of returning records from
today's date:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%' AND TimeGenerated > '2005-01-27 00:00:01'"

If I want records from a date range (12/1/2004 through 12/2/2004), I
would use:

AND TimeGenerated > '2004-12-01 00:00:01' AND TimeGenerated <
'2004-12-03 00:00:01'

Thanks for your help!
 
Dear Matthias Sir,
Thanks for your help. This really helped me.

Matthias Tacke said:
(e-mail address removed) wrote:
> Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
> searching the Application event log on a remote server for records
> which contain the keywords "NTP" and "privilege" in the Description.
> The following command works fine:
>
> LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
> SourceName, Message FROM \\MyServer\Application WHERE Message Like
> '%NTP% %privilege%'"
>
> What I need to do is use the WHERE clause to return records from
> today's date, or a given date. Any suggestions on how I can add that
> function in to the above command? Thanks in advance.
>
Take a look at the help file LogParser.chm.

There is this example:

As another example, we might want to see all the events that have been
logged in the past 24 hours.
Translated into WHERE terms, this means that we only want to see records
whose "TimeWritten" field is greater than or equal the current local
time minus 1 day:

SELECT * FROM System
WHERE TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02', 'yyyy-MM-dd') )

HTH

--
Gruesse Greetings Saludos Saluti Salutations
Matthias
---------+---------+---------+---------+---------+---------+---------+
Click to expand...
 
Back
Top