LOGPARSER #15: Check traffic from IP addresses

Customer of mine used a hardware load balancer to distribute traffic between their frontend web servers. This script that I put together gave them a chance to check whether traffic was distributed evenly between servers (K’s, Hits), if average wait time was the same etc. 10.000 meter view what’s going on. Interesting enough customer also note that all traffic did not originated from the load balancer IP’s. Just by doing these tests you discover new information about a system you thought you know pretty well :)

Select
c-ip AS Client,
Div(Sum(cs-bytes),1024) As IncomingBytes(K),
Div(Sum(sc-bytes),1024) As OutgoingBytes(K),
MAX(time-taken) as MaxTime,
AVG(time-taken) as AvgTime,
count(*) as hits
INTO errorsperip.txt
FROM
logs\iis\ex*.log
GROUP BY
client
ORDER BY
Hits
DESC

You can also dig into the errors of each IP address just to see if you find any differences. Maybe you have a configuration mismatch between servers?

Select
c-ip AS Client,
SUM(c400) AS 400s,
sum(c401) AS 401s,
SUM(c403) AS 403s,
SUM(c404) AS 404s,
SUM(c500) AS 500s,
SUM(c501) AS 501s,
SUM(c502) AS 502s,
SUM(c503) AS 503s,
SUM(c504) AS 504s,
SUM(c505) AS 505s
USING
CASE sc-status WHEN 400 THEN 1 ELSE 0 END AS c400,
CASE sc-status WHEN 401 THEN 1 ELSE 0 END AS c401,
CASE sc-status WHEN 403 THEN 1 ELSE 0 END AS c403,
CASE sc-status WHEN 404 THEN 1 ELSE 0 END AS c404,
CASE sc-status WHEN 500 THEN 1 ELSE 0 END AS c500,
CASE sc-status WHEN 501 THEN 1 ELSE 0 END AS c501,
CASE sc-status WHEN 502 THEN 1 ELSE 0 END AS c502,
CASE sc-status WHEN 503 THEN 1 ELSE 0 END AS c503,
CASE sc-status WHEN 504 THEN 1 ELSE 0 END AS c504,
CASE sc-status WHEN 505 THEN 1 ELSE 0 END AS c505
INTO
IPNumberFileName.txt
FROM
logs\iis\ex*.log
WHERE
c-ip=' <IP address goes here> '
GROUP BY
client

Happy log file digging!

//Anders