Mr. Bad Example

We're all examples: some good, some bad, some ugly.

Regularly Expressing IIS Log Files

If it seems like I'm obsessed with IIS Log files -- well, okay, I am. My latest adventure with them has been figuring out how to merge logs from IIS5 with logs running on IIS6 to our analysis tools and do their thing with them. Turns out that the IIS6 log file fields vary in sequence from IIS5 and my have an extra value in them at maximum logging levels. So I wanted to write write a set of RegExs that determined if a given line of useful data came from IIS5 or IIS6 without having any of the file headers.

Yeah, really. I'm that big of a geek. :)

It didn't take long to figure that this isn't as trivial of a tasks as it sounds and I needed a way to test my RegExs -- sort of a RegEx Editor and Debugger, if you will. And I found a great one in Regex Buddy. Granted, you might never had need for this tool, but if you're regularly working with RegExs, it just rocks.

For me the coolest thing is it's color-coding features that make it easy to tell patterns apart. The paren balance color feature is very helpful too. But the coolest feature is that you can load pattern file into it and it will show you match/not matching lines by color coding. I highly recommend this tool for anybody that's doing non-trivial work with Regular Expressions.

And did I mention it has a visual tool for building Regexs based on "human friendly" terms as a list/tree? This this tool in bag of tricks, you really don't even have to have a full command of RegExs to make full of them. Tell me that doesn't rock!

Anyway, here's my nicely annotated RegEx for IIS5 logs.

((?# date)\d{4}\-\d{2}\-\d{2}\s+)((?# time)\d{2}\:\d{2}\:\d{2}\s+)((?# c-ip)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+)((?# cs-username).+?\s+)((?# s-sitename).+?\s+)((?# s-computername).+?\s+)((?# s-ip)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+)((?# s-port)\d{1,3}\s+)((?# cs-method).+?\s+)((?# cs-uri-stem).+?\s+)((?# cs-uri-query).+?\s+)((?# sc-status)\d{1,3}\s+)((?# sc-win32-status)\d+\s+)((?# sc-bytes)\d+\s+)((?# cs-bytes)\d+\s+)((?# time-taken)\d+\s+)((?# cs-version)(HTTP\/\d\.\d)|\-\s+)((?# cs-host).+?\s+)((?# csUser-Agent).+?\s+)((?# csCookie).+?\s+)((?# csReferer).+)

And one for IIS6 logs.

((?# date)\d{4}\-\d{2}\-\d{2}\s+)((?# time)\d{2}\:\d{2}\:\d{2}\s+)((?# s-sitename).+?\s+)((?# s-computername).+?\s+)((?# s-ip)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+)((?# cs-method).+?\s+)((?# cs-uri-stem).+?\s+)((?# cs-uri-query).+?\s+)((?# s-port)\d{1,3}\s+)((?# cs-username).+?\s+)((?# c-ip)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+)((?# cs-version)(HTTP\/\d\.\d)|\-\s+)((?# csUser-Agent).+?\s+)((?# csCookie).+?\s+)((?# csReferer).+)((?# cs-host).+?\s+)((?# sc-status)\d{1,3}\s+)((?# sc-substatus)\d{1,3}\s+)((?# sc-win32-status)\d+\s+)((?# sc-bytes)\d+\s+)((?# cs-bytes)\d+\s+)((?# time-taken)\d+)


Posted: Jan 31 2005, 10:28 PM by ktegels | with 16 comment(s)
Filed under:

Comments

Alec said:

Good evening. Great page I will be a return visitor. Help me! Help to find sites on the: Airbrush tanning kentucky. I found only this - <a href="www.apreime.com/.../airbrush-tanning-coon-rapidsmn">airbrush tanning coon rapidsmn</a>. Airbrush tanning, accommodate the usage to stay about this product of tanning and bring it generally mans and makes a small reaction to tanning applications. Spa way anyone and how triggers it match to bronzeado? Best regards :confused:, Alec from Czech.

# March 22, 2010 7:40 PM

Mansi said:

Badly need your help. The reward of a thing well done is to have done it. Help me! I find sites on the topic: Percocet and phenergan. I found only this - <a href="drcil.objectis.net/.../phenergan-codeine">phenergan codeine</a>. Phenergan, should specifically be a second victim? I was associated to the black antidote by my problems, and the pathway seized me an anti-nausea, which related to regularly not take my topics, phenergan. With respect ;-), Mansi from Luxembourg.

# March 30, 2010 11:06 AM

Cheapest short skirt gallery said:

Where it is possible to buy the, shortskirtgallery.fe.pl short skirt gallery for you,  8-[[[,

# July 12, 2011 6:05 PM

All about knock off coach purses said:

Beautiful site, knockoffcoachpurses.fe.pl knock off coach purses,  dab,

# July 12, 2011 7:07 PM

Cheapest coach handbags said:

Your Site Is Great!, www.ted.com/.../946635 Cheapest coach handbags,  344,

# July 12, 2011 8:00 PM

coach handbags said:

best for you, http://coachhandbags.fe.pl/ Cheap coach handbags,  9234,

# July 12, 2011 8:11 PM

coach purses said:

What is it, http://coachpurses.fe.pl/ coach purses,  %],

# July 12, 2011 8:32 PM

Only debt cures said:

Incredible site!, http://debtcures.fe.pl/ Only debt cures,  546,

# July 12, 2011 10:59 PM

pay capital one credit card bill price said:

Give somebody the  to a site about the, www.ted.com/.../946676 pay capital one credit card bill price,  qlaht,

# July 12, 2011 11:10 PM

pay capital one credit card bill said:

Real, http://rolanstres.fe.pl/ pay capital one credit card bill,  093953,

# July 12, 2011 11:21 PM

canadian national debt clock said:

Is it so important?, canadiannationaldebtclock.fe.pl Best canadian national debt clock,  cxll,

# July 13, 2011 12:04 AM

transparent bikini said:

Best Wishes!, www.ted.com/.../946721 First transparent bikini,  :),

# July 13, 2011 1:09 AM

Cheap diovan said:

Nice, www.ted.com/.../946736 diovan,  zxxp,

# July 13, 2011 6:10 AM

Real arthritis treatments said:

Best Wishes, www.ted.com/.../946772 arthritis treatments,  754193,

# July 17, 2011 7:46 AM

arthritis treatments said:

Best Wishes, arthritistreatments.fe.pl arthritis treatments,  764473,

# July 17, 2011 7:57 AM

coach handbags said:

Good,best wishes you like<a=http://discount-coachbags.net>coach handbags</a>

# August 12, 2011 2:18 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)