Today I noticed we were getting an increasing amount of spam on one of our form pages. I was curious to see if all of the user IP addresses were the same (in which case I’d just add them to the IIS7 IP Restrictions list). To quickly and easily figure this out I decided to use LogParser. Besides just querying for the page though, I wanted to add an additional condition to exclude rows that came from a certain internal IP address that we use for monitoring.
Here’s a generic version of the query I used:
LogParser.exe -q:on "SELECT * FROM x:\wwwlogs\W3SVC1\u_ex130411.log WHERE cs-uri-stem='/SomePage/' and c-ip<>'10.10.1.100' >c:\temp\PageVisitors.txt"
I wanted to see the full logged data for the request, but if I didn’t, I could have very easily just pulled the IP addresses using:
LogParser.exe -q:on "SELECT c-ip FROM x:\wwwlogs\W3SVC1\u_ex130411.log WHERE cs-uri-stem='/SomePage/' and c-ip<>'10.10.1.100' >c:\temp\PageVisitors.txt"
You can see that I’m piping the results to a text file (the “>c:\temp\PageVisitors.txt” part) so that I can easily deal with the results. You may also want to take note that I’m using the “-q:on” flag which runs the command in Quite Mode. If you don’t set this flag then LogParser will show results one page at a time. When piping to a text file rather than the command prompt window, you obviously can’t hit a key for “next page” so without this flag the query will actually hang forever if there is more than one page worth of results.