Analyze your IIS Log Files - Favorite Log Parser Queries

The other day I was asked if I knew about a tool that would allow users to easily analyze the IIS Log Files, to process and look for specific data that could easily be automated. My recommendation was that if they were comfortable with using a SQL-like language that they should use Log Parser. Log Parser is a very powerful tool that provides a generic SQL-like language on top of many types of data like IIS Logs, Event Viewer entries, XML files, CSV files, File System and others; and it allows you to export the result of the queries to many output formats such as CSV (Comma-Separated Values, etc), XML, SQL Server, Charts and others; and it works well with IIS 5, 6, 7 and 7.5.

To use it you just need to install it and use the LogParser.exe that is found in its installation directory (on my x64 machine it is located at: C:\Program Files (x86)\Log Parser 2.2).

I also thought on sharing some of my favorite queries. To run them, just execute LogParser.exe and make sure to specify that the input is an IIS Log file (-i:W3C) and for ease of use in this case we will export to a CSV file that can be then opened in Excel (-o:CSV) for further analysis:

LogParser.exe -i:W3C "Query-From-The-Table-Below" -o:CSV
Purpose Query Sample Output
Number of Hits per Client IP, including a Reverse DNS lookup (SLOW) SELECT c-ip As Machine, 
        REVERSEDNS(c-ip) As Name, 
        COUNT(*) As Hits 
 FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
 GROUP BY Machine ORDER BY Hits DESC
Machine Name Hits
::1 CARLOSAGDEV 57
127.0.0.1 MACHINE1 28
127.X.X.X MACHINE2 1
Top 25 File Types SELECT TOP 25 
    EXTRACT_EXTENSION(cs-uri-stem) As Extension, 
    COUNT(*) As Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
GROUP BY Extension 
ORDER BY Hits DESC
Extension Hits
gif 52127
bmp 20377
axd 10321
txt 460
htm 362
Top 25 URLs SELECT TOP 25 
    cs-uri-stem as Url, 
    COUNT(*) As Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
GROUP BY cs-uri-stem 
ORDER By Hits DESC
Url Hits
/WebResource.axd 10318
/favicon.ico 8523
/Tools/CodeTranslator/Translate.ashx 6519
/App_Themes/Silver/carlosag.css 5898
/images/arrow.gif 5720
Number of hits per hour for the month of March SELECT 
    QUANTIZE(TO_LOCALTIME(TO_TIMESTAMP(date, time)), 3600) AS Hour, 
    COUNT(*) AS Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
WHERE date>'2010-03-01' and date<'2010-04-01' 
Group By Hour
Hour   Hits
3/3/2010 10:00:00 33
3/3/2010 11:00:00 5
3/3/2010 12:00:00 3
Number of hits per Method (GET, POST, etc) SELECT 
    cs-method As Method, 
    COUNT(*) As Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
GROUP BY Method
Method Hits
GET 133566
POST 10901
HEAD 568
OPTIONS 11
PROPFIND 18
Number of requests made by user SELECT TOP 25 
    cs-username As User, 
    COUNT(*) as Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
WHERE User Is Not Null 
GROUP BY User
User Count
Administrator 566
Guest 1
Extract Values from Query String (d and t) and use them for Aggregation SELECT TOP 25 
    EXTRACT_VALUE(cs-uri-query,'d') as Query_D, 
    EXTRACT_VALUE(cs-uri-query,'t') as Query_T, 
    COUNT(*) As Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
WHERE Query_D IS NOT NULL 
GROUP BY Query_D, Query_T 
ORDER By Hits DESC
Query_D Query_T Hits
Value in Query1 Value in T1 1556
Value in Query2 Value in T2 938
Value in Query3 Value in T3 877
Value in Query4 Value in T4 768
Find the Slowest 25 URLs (in average) in the site SELECT TOP 25 
    cs-uri-stem as URL, 
    MAX(time-taken) As Max, 
    MIN(time-taken) As Min, 
    Avg(time-taken) As Average 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
GROUP BY URL 
ORDER By Average DESC
URL Max Min Average
/Test/Default.aspx 23215 23215 23215
/WebSite/Default.aspx 5757 2752 4178
/Remote2008.jpg 3510 3510 3510
/wordpress/ 6541 2 3271
/RemoteVista.jpg 3314 2 1658
List the count of each Status and Substatus code SELECT TOP 25 
    STRCAT(TO_STRING(sc-status), 
    STRCAT('.', TO_STRING(sc-substatus))) As Status, 
    COUNT(*) AS Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
GROUP BY Status 
ORDER BY Status ASC
Status Hits
200 144
304 38
400 9
403.14 10
404 64
404.3 2
500.19 23
List all the requests by user agent SELECT 
    cs(User-Agent) As UserAgent, 
    COUNT(*) as Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
GROUP BY UserAgent 
ORDER BY Hits DESC
UserAgent Hits
iisbot/1.0+(+http://www.iis.net/iisbot.html) 104
Mozilla/4.0+(compatible;+MSIE+8.0;… 77
Microsoft-WebDAV-MiniRedir/6.1.7600 23
DavClnt 1
List all the Win32 Error codes that have been logged SELECT 
    sc-win32-status As Win32-Status, 
    WIN32_ERROR_DESCRIPTION(sc-win32-status) as Description, 
    COUNT(*) AS Hits 
FROM c:\inetpub\logs\LogFiles\W3SVC1\* 
WHERE Win32-Status<>0 
GROUP BY Win32-Status 
ORDER BY Win32-Status ASC
Win32-Status Description Hits
2 The system cannot find the file specified. 64
13 The data is invalid. 9
50 The request is not supported. 2

A final note: any time you deal with Date and Time, remember to use the TO_LOCALTIME function to convert the log times to your local time, otherwise you will find it very confusing when your entries seem to be reported incorrectly.

If you need any help you can always visit the Log Parser Forums to find more information or ask specific questions.

Any other useful queries I missed?

No Comments