Hopefully, if you are reading this you already know what Log Parser 2.2 is and that Log Parser Studio is a graphical interface for Log Parser. Additionally, Log Parser Studio (which I will refer to from here forward simply as LPS) contains a library of pre-built queries and features that increases the usefulness and speed of using Log Parser exponentially. If you need to rip through gigabytes of all types of log files and tell a story with the results, Log Parser Studio is the tool for you!

None of this is of much use if you don’t have LPS and know how to get it up and running but luckily this is exactly what this blog post is about. So let’s get to it; the first thing you want to do of course is to download LPS and any prerequisites. The prerequisites are:

1. Log Parser Studio (get it here).
2. .NET 4.x which can be found here.
3. Log Parser 2.2 which is located here.

Once everything is downloaded we’ll install the prerequisites first. Run the installer for Log Parser 2.2 and make sure that you choose the “Complete” install option. The complete install option installs logparser.dll which is the only component from the install LPS actually requires:

Next we want to install .NET 4 and you can run the webinstaller as needed. Once it is installed all that is left is to install Log Parser Studio. Oh snap, LPS doesn’t require an install, all you need to do is unzip all the files into a folder in the location of your choice and run LPS.exe. Once you have completed these steps the install is complete and the only thing left is a few basic setup steps in LPS.

Setting up the default output directory

LPS (based on the query you are running) may export the results to a CSV, TSV or other file format as part of the query itself. The default location is C:\Users\username\AppData\Roaming\ExLPT\Log Parser Studio. However, it’s probably better to change that path to something you are more familiar with. To set a new default output directory run LPS and go to Options > Preferences and it is the first option at the top:

Click the browse button and choose the directory you wish to use as your default output directory. You can always quickly access this folder directly from LPS by clicking the show output directory button in the main LPS window. If you just exported a query to CSV and want to browse to it, just click that button, no need to manually browse:

Choose the log files you wish to query

Next you’ll want to choose the log file(s) you want to query. If you are familiar with Log Parser 2.2 the following physical log file types are supported: .txt, .csv, .cap, .log, .tsv and .xml. To choose the logs you need open the log file manager by clicking the orange “log” button shown in the screenshot above. Technically, you can query almost any text based file, more on that in upcoming articles.

In the log file manager you can choose single files, multiple files or entire folders based on log type. Just browse to the logs you care about. You can house multiple file types in the log file manager and only the ones that are checked will be queried. This is very handy if you have multiple log types and you need to quickly switch between without having to browse for them each time:

Note: When adding a folder you need to double-click or select at least one log file. LPS will know that you want all the files and will use wildcards accordingly instead of the single file you selected. If you use the Add Files button then only files you select will be added.

Running your first query

By this point you are ready to start running queries. All queries are stored in the LPS library which is the first window you see when opening LPS. To load any query to run, just double-click it and it will open in its own tab:

The only thing left is to execute the query and to do so just click the execute query button.   If you are wondering why I chose such an icon as this it’s because Log Parser uses SQL syntax and traditionally this icon has always been used to identify the “run query” button in applications that edit queries such as SQL Server Management Studio. If you are wondering why there is another button below that is similar but contains two exclamation points you might be able to guess that it executes multiple queries at once. I'll elaborate in an upcoming post that covers grouping multiple queries together so they can all be executed as a batch.

Here are the results from my test logs after the query has completed:

We can see that it took about 15 seconds to execute and 9963 records were returned, there are 36 queries in my test library, zero batches executing and zero queries executing.

Conclusion

And that’s it, you are now up and running with LPS. Just choose your logs, find a query that you want to use and click run query. The only thing you need to be aware of is that different log formats require different log types so you’ll want to make sure those match or you’ll get an error. In other words the format for IISW3C format is different than the format for an XML file and LPS needs to know this so it can pass the correct information to Log Parser in the background. Thankfully, these are already setup inside the existing queries, all you need to do is choose an IIS query for IIS logs and so on.

Most every button and interface element in LPS has a tool-tip explanation of what that button does so be sure to hover your mouse cursor over them to find out more. There is also a tips message that randomly displays how-to tips and tricks in the top-right of the main interface. You can also press F10 to display a new random tip.

You can also write your own queries, save them to the library, edit existing queries and change log types and all format parameters. There is a huge list of features in LPS both obvious and not so obvious, thusly upcoming posts will build on this and introduce you the sheer power and under-the-hood tips and tricks that LPS offers. It’s amazing how much can be accomplished once you learn how it all works and that’s what we are going to do next. :)

Continue to the next post in the series: Getting Started with Log Parser Studio - Part 2

In my last post, Getting Started with Log Parser Studio - Part 1, I showed how to get Log Parser Studio along with its minimal prerequisites installed, basic setup as well as running your first query. In this post I'll be taking you on a basic "getting around town" tour to help familiarize you with the LPS Query Library and managing queries. To kick things off let's take a quick look at the library.

Working with the library

Above we see the library that holds all the queries. It's fairly self-explanatory that its a list of all the queries that LPS manages along with a description, date modified, type of query and the query itself (all of these are not visible in the image above). All queries are prefixed with the basic category they reside in. For example a query that queries log files for an IIS website will appear in the following format: IIS: Name Of Query. This makes it easy to visually browse for the query you are looking for.

If you'll remember from my last post I mentioned that the type of query needs to match the type of log being queried. These prefixes directly or sometimes indirectly correlate to those types so if you have IISW3C logs you need queries for, then queries beginning with IIS: are the ones you want. You can also sort the queries by clicking the column header of the field you wish to sort by.

Another advantage to this is searching. Notice the search box at the top right. To quickly narrow down the visible results in the library to list only the log type you need, simply type part or all of any prefix and click the search (>) button. This is free text search of the query name field so you can search for any text contained in any query name no matter where it falls within that string. To clear the results and show all queries again click the X button or press the escape key on your keyboard.

To open any query just double-click it and it will open in it's own tab. You can also right-click a query from within the library for a list of context menu options which are as follows:

Open - Same as double-clicking a query.

Run now - This will open all selected queries then immediately execute them.

Add to batch - This will add the selected queries to the batch manager.

Favorites - Adds selected queries to your favorites list. You can add/remove queries you use the most to your favorites for quick access.

Category - Assign the query(s) to different categories. Note: Due to the ease of searching, static categories may be deprecated in the future.

Delete - Be careful! This choice delete all selected queries. You will get a final warning before doing so. Additionally, this only deletes them from memory. The deletes are not final until you formally close LPS without saving the library.

Hidden feature: CTRL+C. Using this key combination on a selected query will copy the query text to your clipboard. This is so you can quickly take a look at the query in a text editor without having to open it or if you wanted to send the text portion of query as-is to someone via email or any other reason.

Quickly edit query meta-data

For basic edits such as a query's category, name, description, log type etc., its a bit tedious to open it formally, make a simple name change, click save then close the query you aren't even planning on executing. To get around this, select any query in the library then click F2. This will open a basic editor to change those fields. After clicking save, the changes will be propagated back to the library.

Importing and Exporting

Queries can be imported and exported from an entire library, a single query or a group of selected queries. When importing, multiple library XML files can be imported at once, choosing only the queries from each of those files that you want. Once chosen you have the choice to merge these into the library or completely replace the current library. Depending on your workflow this can be very advantageous. You may have certain queries for certain customers, projects or investigations and so on. You could save small groups of queries for certain tasks, export queries to send to others who can import directly into LPS. Or you may simply want only add queries to the default library and export it somewhere so you have a backup. To access importing and exporting go to File > Import or File > Export.

Hidden feature: You can directly open the existing library your default text editor by pressing CTRL+ALT+L. Please be forewarned that this file must be compliant to its format. Translation: make a typo, possibly even a case-sensitive mistake and you won't be able to load this library any longer until you fix the issue. If however, you are a more advanced user and you are aware of the risk involved having direct access to the raw data might be of value. Once it is opened you could also Save-As to another location which is yet another method to back up the library. If you are new to LPS and are wondering how to edit an query, don't do that here, this is accomplished by opening the query in LPS and editing directly in LPS in the query editor window which will be discussed soon.

Backup and Recovery of the Library

The library consists of a single XML file that contains all queries and is stored in the users appdata folder (LPSLibrary.xml). If this file ever becomes lost or corrupted you can recover the default installed library by choosing Help > Recover Library from the main menu bar. However, any queries you have created yourself or existing ones that you have modified will no longer be accessible. If you have custom queries it's a great idea to use the export feature and export your custom queries and/or the entire library to a backup location. If for some reason you need your queries back you can use the import feature to place them back into the library.

Conclusion

The library is the central storage location for your queries. You can execute, modify, import, export, search for and categorize queries. You can backup and restore libraries or parts of libraries and recover the original default library. Queries can be opened for review, then executed or multiple queries can be executed immediately. You can have multiple libraries or groups of queries to suit your working style. The library is typically your home base for managing all your queries, manage it well and it will server you well. Next up working with the query editor.