Need help with a .bat script for parsing W3C logs

Question

Im trying to get a value (IP address) from a W3C logfile (kinda like a text file). This is what I have so far but with no luck:

Set filename=ex%date:~-2,4%%date:~-10,2%%date:~-7,2%.log

For /F "tokens=2 delims=: . " %%A in ('E:\WINDOWS\system32\LogFiles\MSFTPSVC6141885\%filename%') do (Set ip=%%A)

and the log file looks like:

# Software: Microsoft Internet Information Services 6.0
# Version: 1.0
#Date: 2009-01-10 20:58:16
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status 
#20:58:16 10.10.1.111 [25]USER anonymous 331 0

so the IP adress is on the 5th line second column (10.10.1.111)

any feedback would be appreciated!

Answer 1

Have you tried Microsoft Log Parser? Supposedly it supports W3C-style log files out-of-the-box. I don't know what you're trying to do, but it might be easier than hand-crafting a batch file.

Alternatively, install AWK (e.g. from Cygwin). Or even Perl -- this is it's raison-d'etre.

Answer 2

yeah I did try it, but it doesn't really have the functionality I need. I've basically written a batch script that sends an email as soon as someone uploads a file to my ftp site, and that part works. Now Im trying to get it to also get the IP address from the log file and put that value into "ip" or something to also send with the email. All I'm stuck with is the for loop, making it get the value from the fourth line, second column (or second word) where the Ip address resides.

Answer 3

Change your for line to this:

For /F "skip=4 tokens=2" %%A in (E:\WINDOWS\system32\LogFiles\MSFTPSVC6141885\%filename%) do (
    Set ip=%%A
    goto :DONE
)
:DONE
@echo IP = %ip%
:: Continue script

skip=4 will ignore the first four lines of the log file and start parsing the 5th. You need the goto to stop from parsing the rest of the lines in the file, otherwise you'll spin through the whole file and ip would equal the second token of the last line, which may or may not be the IP address.

The default delimiter is space, so you don't need to change this with a delims arg. You do want just the second token, which is the IP address.

You don't need to enclose the filename in single quotes, since you're parsing the contents of the file, not the filename string. If the filename has embedded spaces you would have to use this for line instead:

For /F "usebackq skip=4 tokens=2" %%A in ("E:\WINDOWS\system32\LogFiles\MSFTPSVC6141885\%filename%") do (

Answer 4

Patrick it worked!!!! thank you so much for all your help:D I didnt think about the skip:(

Just one more thing I just realised that if someone else uploads a file that same day, it logs the new IP address in the same log file. My trigger works really well and starts of the script as soon as someone uploads a file. But the thing is it will show the previous IP address, on the 5th line, second column and not the new file upload IP address.. any ideas? heres an example:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-01-07 02:42:29
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
02:42:29 10.10.1.111 [1]USER anonymous 331 0
02:42:29 10.10.1.111 [1]PASS hp2@hp2-desktop 230 0
02:42:45 10.10.1.111 [1]created /testing.ppt 226 0
02:45:27 10.10.1.132 [1]closed - 421 121
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-01-07 02:45:27
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status 
03:27:47 10.10.1.132 [2]USER anonymous 331 0
03:27:47 10.10.1.132 [2]PASS ubuntu@tdw 230 0
03:28:04 10.10.1.132 [2]created /test.exe 226 0

So as you can see, at time 03:27:47 someone else uploaded a file. Ive noticed that the "cs-method" ( [1], [2]) keeps going up each time something new is uploaded. So maybe we could use some sort of a count to distinguish each file upload session to get the IP address? This was my first log file so the "cs-method" count starts from [1], in my most recent log file (as of today) the count is at [26]. Thanks again for your help.

Answer 5

Actually I just figured out the answer by reading your post again! You mentioned

"You need the goto to stop from parsing the rest of the lines in the file, otherwise you'll spin through the whole file and ip would equal the second token of the last line, which may or may not be the IP address."

Ahh but it actually is. The log file keeps updating when someone puts a new file, and the most recent IP address will always be at the bottom! Wish I could rate your answer as helpful but it says I need 15 reputations:( so all I can do is say thanks.