Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Had an interesting problem today. Received an ULS log file that was 18GB large. Although I knew the approximate timeframe where the problem started happening the normal PowerShell commands I use to break the logs did not work.
Basically the challenge was: how to extract a specific timeframe from an 18GB log file.
Answer(as suggested by the great CristiG): using logparser. Initially meant for IIS logs, we can use logparser also for ULS with a little bit of adaptation. The main challenge was parsing the Timeframe column that is not in the standard format that logparser understands.
The resulting script looks like:
select [Timestamp],Process,TID,Area,Category,EventID,Level,Message,Correlation into test3.log from problem.log
where TO_TIME(TO_TIMESTAMP(STRCAT(STRCAT(STRCAT(STRCAT(STRCAT(STRCAT(TRIM(SUBSTR(Timestamp,6,4)),'-'),TRIM(SUBSTR(Timestamp,0,2))),'-'),TRIM(SUBSTR(Timestamp,3,2))),' '),TRIM(SUBSTR(Timestamp,11,8))), 'yyyy-MM-dd hh:mm:ss')) between timestamp('01:33:00', 'hh:mm:ss') and timestamp('01:43:00', 'hh:mm:ss')
After installing logparser and adding it to your path variable you can run the following command to filter the logs: LogParser -i:tsv -o:tsv file:test2.sql (given that you have the input file and the script file are in the same directory).
Logparser can be downloaded for free from: https://www.microsoft.com/en-us/download/details.aspx?id=24659
Comments
Anonymous
December 13, 2012
You can also use the readily available ULSViewer found @ codeplex. Many parameters to filter by, including date/time, correlation ID. Plus you can open a live ULS log file as it is being written. http://ulsviewer.codeplex.com/Anonymous
March 29, 2013
thanks for sharing DanielAnonymous
November 04, 2013
OK,now how can I expand that to a date range as well. I got lost three STRCATs in. I want something like: between timestamp('2013-11-04 00:00:01', 'yyyy-MM-dd hh:mm:ss') and timestamp('2013-11-06 23:59:59', 'yyyy-MM-dd hh:mm:ss') But, I get zero results that way.