пт, 20 мар. 2020 г. в 18:49, Willy Tarreau <[email protected]>: > On Fri, Mar 20, 2020 at 06:06:47PM +0500, ???? ??????? wrote: > > I am familiar with custom formats. > > what I mean is (sample from IIS log) > > > > so I can query it like "select * from ... where sc-status=200" without > > prior knowledge what field "sc-status" is (format might change from file > to > > file) > > > > also, I guess log exporters may take advantage from it. > > > > > > #Software: Microsoft Internet Information Services 8.5 > > #Version: 1.0 > > #Date: 2017-06-26 13:09:21 > > *#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port > > cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus > > sc-win32-status time-taken* > > 2017-06-26 13:09:21 192.168.183.152 GET / - 808 - 10.33.41.142 - - 200 0 > 64 > > 11451 > > 2017-06-26 13:09:21 192.168.183.152 GET / - 808 - 10.33.41.142 - - 200 0 > 0 > > 2378 > > 2017-06-26 13:11:23 192.168.183.152 GET /favicon2.iso - 808 - > 10.33.41.142 > > Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 > 2 1 > > 2017-06-26 13:11:23 192.168.183.152 GET /favicon.iso - 808 - 10.33.41.142 > > Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 > 2 2 > > But that's absurd, since there's no "beginning" of a log, contrary to what > is done with the stats output which is always complete and works exactly > like this. Logs are a continuous stream. When your process runs > uninterrupted > for one year and the output is rotated daily, that's unusable. I would say > it > must be up to the tool used to rotate them to start by prepending such a > line > just after rotating in this case. >
I admit that it looks like absurd. However, it works like a charm. There's pretty big and happy community around LogParser. Probably, I need to spend time to prepare example how that works. I used to use it heavily when working with IIS. and that approach is really nice. > > Willy >
