The host is located in the EDT time zone. Event logs are logged using EDT. IIS logs are getting logged using UTC, and I'm not sure which logparser construct helps account for UTC.
For example, Windows event logs, logged in local time, entries logged in last 20 minutes can be retrieved with:
>logparser "SELECT * FROM Application WHERE TimeGenerated >= TO_LOCALTIME( SUB( SYSTEM_TIMESTAMP(), TIMESTAMP( '20', 'mm' ) ) )"
How do I retrieve IISW3C formatted log entries logged in the previous 3 minutes?
After further review, I found this example in the help entry for SYSTEM_TIME ( ), i.e.
Retrieve the IIS log entries logged in the current hour:
logparser -i:IISW3C "SELECT * FROM <1> WHERE date = SYSTEM_DATE() AND time >= QUANTIZE( SYSTEM_TIME(), 3600 )" -o:NAT
This current attempt retrieves the last 180 seconds (I think?), still trying to grok it…;-)
logparser -i:IISW3C "SELECT Time, Date, cs-uri-stem FROM <1> WHERE date = SYSTEM_DATE() AND time >= QUANTIZE( SYSTEM_TIME(), 180 )" -RTP:-1
Other suggestions or approaches you can recommend?
Best Answer
Ok, i realize i'm replying to a post that is more than a year old, but I know that some googler out there will find this information useful. Here is how I query IIS entries with the last X minutes (or hours, or seconds).
This can be expanded to be the last day, month, year (assuming you are not using the -mindatemod option to logparser) by changing SYSTEM_TIME() to SYSTEM_TIMESTAMP() and editing the format specified in TO_TIMESTAMP().
It's also helpful to remember the logparser time format: 'yyyy-MM-dd hh:mm:ss'
-MBB