Log Parser command question

T

tron9901

Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
searching the Application event log on a remote server for records
which contain the keywords "NTP" and "privilege" in the Description.
The following command works fine:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%'"

What I need to do is use the WHERE clause to return records from
today's date, or a given date. Any suggestions on how I can add that
function in to the above command? Thanks in advance.
 
M

Matthias Tacke

Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
searching the Application event log on a remote server for records
which contain the keywords "NTP" and "privilege" in the Description.
The following command works fine:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%'"

What I need to do is use the WHERE clause to return records from
today's date, or a given date. Any suggestions on how I can add that
function in to the above command? Thanks in advance.
Take a look at the help file LogParser.chm.

There is this example:

As another example, we might want to see all the events that have been
logged in the past 24 hours.
Translated into WHERE terms, this means that we only want to see records
whose "TimeWritten" field is greater than or equal the current local
time minus 1 day:

SELECT * FROM System
WHERE TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02', 'yyyy-MM-dd') )

HTH
 
K

Kristofer Gafvert

Hi,

My answer will be based on the Log Parser 2.0 documentation.

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%' AND TimeGenerated > '2005-01-23'"

Note, the date i wrote is in a format i have. This may not be the same as
you have, so you might need to format it differently, or use the functions
available to format the date (see the documentation for more information).
 
T

tron9901

AND TimeGenerated > '2005-01-23' works, although it has to include the
time in the format (yyyy-MM-dd hh:mm:ss).

So to add to my existing command the function of returning records from
today's date:

LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
SourceName, Message FROM \\MyServer\Application WHERE Message Like
'%NTP% %privilege%' AND TimeGenerated > '2005-01-27 00:00:01'"

If I want records from a date range (12/1/2004 through 12/2/2004), I
would use:

AND TimeGenerated > '2004-12-01 00:00:01' AND TimeGenerated <
'2004-12-03 00:00:01'

Thanks for your help!
 
Joined
Mar 25, 2015
Messages
1
Reaction score
0
Dear Matthias Sir,
Thanks for your help. This really helped me.

(e-mail address removed) wrote:
> Using Microsoft Log Parser 2.2 on Windows 2000 Advanced Server. I'm
> searching the Application event log on a remote server for records
> which contain the keywords "NTP" and "privilege" in the Description.
> The following command works fine:
>
> LogParser -i:EVT -o:NAT "SELECT TimeGenerated, EventTypeName, EventID,
> SourceName, Message FROM \\MyServer\Application WHERE Message Like
> '%NTP% %privilege%'"
>
> What I need to do is use the WHERE clause to return records from
> today's date, or a given date. Any suggestions on how I can add that
> function in to the above command? Thanks in advance.
>

Take a look at the help file LogParser.chm.

There is this example:

As another example, we might want to see all the events that have been
logged in the past 24 hours.
Translated into WHERE terms, this means that we only want to see records
whose "TimeWritten" field is greater than or equal the current local
time minus 1 day:

SELECT * FROM System
WHERE TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-02', 'yyyy-MM-dd') )

HTH

--
Gruesse Greetings Saludos Saluti Salutations
Matthias
---------+---------+---------+---------+---------+---------+---------+
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top