I have noticed some quirkiness with SARG on windows and the ironport squid log file format (with regards to username). I've created a vbscript to resolve the issue and thought I'd post if for others. The script also generates the logs based on days, parsed from the source ironport logs.
Btw, I have to use windows so don't ask =)
Also, not sure how well it will work on large log files...
' Description: Parses Ironport WSA squid access log files
' and produces daily log output suitible for
' SARG on MS Windows
' Warning: Script removes original log files
' Example: parselogs.vbs d:\ftproot d:\proxylogs
Option Explicit
testInput
Dim objRegExpr, objFSO, objFile, objInputFile, objOutputFile, objFolder
Dim strSourceDir, strDestinationDir, colFiles, strInputFile, strOutputFile
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objRegExpr = New RegExp
objRegExpr.Global = True
objRegExpr.IgnoreCase = False
strSourceDir = WScript.Arguments.Item(0)
strDestinationDir = WScript.Arguments.Item(1)
If objFSO.FolderExists(strSourceDir) AND objFSO.FolderExists(strDestinationDir) Then
Set objFolder = objFSO.GetFolder(strSourceDir)
Set colFiles = objFolder.Files
For Each objFile in colFiles
strInputFile = strSourceDir & "\" & objFile.Name
objRegExpr.Pattern = ".*@(\d{8})T.*"
strOutputFile = strDestinationDir & "\" & objRegExpr.Replace(objFile.Name, "$1") & ".log"
Set objInputFile = objFSO.OpenTextFile(strInputFile, ForReading)
Set objOutputFile = objFSO.OpenTextFile(strOutputFile, ForAppending, True)
objRegExpr.Pattern = " ""(.*)@.*"" "
Do While Not objInputFile.AtEndOfStream
objOutputFile.WriteLine(objRegExpr.Replace(objInputFile.ReadLine, " $1 "))
Loop
objInputFile.Close
objOutputFile.Close
objFSO.DeleteFile(strInputFile)
Next
Else
Wscript.Echo "Error: Invalid Source or Destination Directory"
Wscript.Quit
End If
Sub testInput()
If WScript.Arguments.Count < 2 then
Wscript.Echo "Usage: " & Wscript.ScriptName & " <sourcedir> <destinationdir>"
Wscript.Quit
End If
End Sub