Log Parser Lizard 基于log parser的可视化工具

<?xml version="1.0"?> <Table> <Row StyleID="s16"> <Cell StyleID="s21"><Data Type="String">Type</Data></Cell> <Cell StyleID="s21"><Data Type="String">Keyword</Data></Cell> <Cell StyleID="s21"><Data Type="String">Description</Data></Cell> <Cell StyleID="s22"><Data Type="String">Example</Data></Cell> <Cell StyleID="s21"><Data Type="String">Code Insight</Data></Cell> </Row> <Row Height="30"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">SELECT</Data></Cell> <Cell><Data Type="String">The SELECT clause specifies the fields of the output records to be returned by the query.</Data></Cell> <Cell><Data Type="String">SELECT TimeGenerated, SourceName FROM System</Data></Cell> </Row> <Row Height="75"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">USING</Data></Cell> <Cell><Data Type="String">The USING clause declares aliased field-expressions that do not appear in the output records but can be referenced anywhere in the query. The USING clause is employed to improve query readability.</Data></Cell> <Cell><Data Type="String">SELECT Username USING TO_LOWERCASE( RESOLVE_SID(Sid) ) AS FQAccount, EXTRACT_TOKEN( FQAccount, 1, '\\') AS Username FROM Security</Data></Cell> </Row> <Row Height="45"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">INTO</Data></Cell> <Cell><Data Type="String">The INTO clause is used to specify the output format target(s) to which the query output records are to be written. </Data></Cell> <Cell><Data Type="String">SELECT * INTO MyOutput.csv FROM System</Data></Cell> </Row> <Row Height="45"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">FROM</Data></Cell> <Cell><Data Type="String">The FROM clause is used to specify the input format source(s) from which the query input records are to be read. </Data></Cell> <Cell><Data Type="String">SELECT * FROM System, Security</Data></Cell> </Row> <Row Height="90"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">WHERE</Data></Cell> <Cell StyleID="s20"><Data Type="String">The WHERE clause is used to specify a boolean condition that must be satisfied by an input record for that record to be output. Input records that do not satisfy the condition are discarded. The expression in a WHERE clause can not reference SQL (aggregate) functions. To specify conditions on values of aggregate functions, use the HAVING clause.</Data></Cell> <Cell><Data Type="String">WHERE EventID = 501</Data></Cell> </Row> <Row Height="60"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">GROUP BY</Data></Cell> <Cell><Data Type="String">The GROUP BY clause specifies the groups into which output rows are to be placed and, if aggregate functions are included in the SELECT or HAVING clauses, calculates the aggregate functions values for each group.</Data></Cell> <Cell><Data Type="String">SELECT date, cs-uri-stem, COUNT(*) FROM LogFiles\ex040528.log GROUP BY date, cs-uri-stem</Data></Cell> </Row> <Row Height="150"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">WITH ROLLUP</Data></Cell> <Cell StyleID="s20"><Data Type="String">Specifies that in addition to the usual rows provided by GROUP BY, summary rows are introduced into the result set. Groups are summarized in a hierarchical order, from the lowest level in the group to the highest, and the corresponding summary rows contain NULL values for the groups that have been summarized. The group hierarchy is determined by the order in which the grouping field-expressions are specified. Changing the order of the grouping field-expressions can affect the number of rows produced in the result set.</Data></Cell> <Cell><Data Type="String">SELECT date, cs-uri-stem, COUNT(*) FROM LogFiles\ex040528.log GROUP BY date, cs-uri-stem WITH ROLLUP</Data></Cell> </Row> <Row Height="60"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">HAVING</Data></Cell> <Cell><Data Type="String">The HAVING clause is used to specify a boolean condition that must be satisfied by a group for the group record to be output. Groups that do not satisfy the condition are discarded.</Data></Cell> <Cell><Data Type="String">SELECT SourceName FROM System GROUP BY SourceName HAVING COUNT(*) &gt; 10</Data></Cell> </Row> <Row Height="60"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">TOP</Data></Cell> <Cell><Data Type="String">Specifies that only the first n records are to be output from the query result set. If the query includes an ORDER BY clause, the first n records ordered by the ORDER BY clause are output.</Data></Cell> </Row> <Row Height="30"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">ALL</Data></Cell> <Cell><Data Type="String">Specifies that duplicate records can appear in the result set. ALL is the default.</Data></Cell> </Row> <Row Height="30"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">AS</Data></Cell> <Cell><Data Type="String">Specifies an alternative name to replace the field name in the query result set.</Data></Cell> <Cell><Data Type="String">SELECT EventID AS MyAlias, ADD(MyAlias, 100)</Data></Cell> </Row> <Row Height="45"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell Index="2"><Data Type="String">DISTINCT</Data></Cell> <Cell><Data Type="String">Specifies that only unique records can appear in the result set. NULL values are considered equal for the purposes of the DISTINCT keyword.</Data></Cell> </Row> <Row Height="120"> <Cell><Data Type="String">Query Syntax</Data></Cell> <Cell><Data Type="String">ORDER BY</Data></Cell> <Cell StyleID="s20"><Data Type="String">The ORDER BY clause specifies which SELECT clause field-expressions the query output records should be sorted by. Arguments: ASC (Specifies that the field-expression list values should be sorted in ascending order, from lowest value to highest value. ASC is the default); DESC Specifies that the field-expression list values should be sorted in descending order, from highest value to lowest value.</Data></Cell> <Cell><Data Type="String">SELECT date, cs-uri-stem, cs-uri-query, sc-bytes FROM LogFiles\ex040528.log ORDER BY sc-bytes DESC</Data></Cell> </Row> <Row Height="60"> <Cell><Data Type="String">Expressions</Data></Cell> <Cell><Data Type="String">ALL</Data></Cell> <Cell><Data Type="String">The ALL operator compares a given field-expression with a list of values, returning TRUE if all values in the list satisfy the comparison operation, or FALSE if not all values satisfy the comparison.</Data></Cell> <Cell><Data Type="String">(Year, Age) &lt; ALL (1999, 30; 2001, 40; 2002, 10)</Data></Cell> </Row> <Row Height="60"> <Cell><Data Type="String">Expressions</Data></Cell> <Cell><Data Type="String">ANY</Data></Cell> <Cell><Data Type="String">The ANY operator compares a given field-expression with a list of values, returning TRUE if any value in the list satisfies the comparison operation, or FALSE if no values satisfy the comparison.</Data></Cell> <Cell><Data Type="String">(Year, Age) &lt; ANY (1999, 30; 2001, 40; 2002, 10)</Data></Cell> </Row> <Row Height="30"> <Cell><Data Type="String">Expressions</Data></Cell> <Cell><Data Type="String">BETWEEN</Data></Cell> <Cell><Data Type="String">The BETWEEN operator determines if a given field-expression belongs to a specified interval.</Data></Cell> <Cell><Data Type="String">Year BETWEEN 1999 AND 2004</Data></Cell>