there’s a point where logparser one liners start to make perl look like a tidy language. this is when you need to start using query files. here’s a sample query file below.
vwGroupDeletions.sql:
-- SQL file version of vwGroupDeletions.bat query -- SELECT top 5 timegenerated as timestamp, eventid, extract_token(strings,2,'|') as group, resolve_sid(substr(Extract_token(strings, 1, '|'), 2, -1)) as user INTO %lpCsvFile% FROM \\%lpServer%\%lpLogType% WHERE eventid = 633
now isn’t that easier to read? one key thing to note is that you can use place holders to make the script dynamic. these are identical to dos/batch variable names i.e. %woof%. to use the query file all you need to is specify it as the logparser parameter file, here’s a sample batch file.
vwGroupDeletions.bat:
@echo off cls set lpServer=aServerCalledBob set lpLogType=security set lpCsvFile=vwGroupDeletions.csv echo Generating CSV file (%lpCsvFile%) for recent deletions on %lpServer% logparser file:vwGroupDeletions.sql?lpServer=%lpServer%+lpLogType=%lpLogType%+lpCsvFile=%lpCsvFile%
oh if you’re interested, this logparser script looks on server eventlog and grabs all recent group deletions (event id 633) and places them into a csv file.