How to extract NETBIOS name from BADMIF files on ConfigMgr 2012 using Log Parser 2.2

  • Article

It's been a long time since my last post, so at this time let's talk about a powerful tool: Log Parser 2.2!

Log Parser 2.2 is used by IIS, Platforms and Exchange engineers, but the cool thing about Log Parser 2.2 is the fact it’s not related to a specific product/technology. In this post, I'll give an example about how to extract information from text files, in this case .MIF files, since a lot of customers need to do this on a day to day basis.

This could be accomplished by using FINDSTR as well, but again, I’ll focus on Log Parser 2.2 here.

All that said, here is the common scenario:

  • Customer wants to extract NETBIOS names from the .MIF files (BADMIF folder) to better understand issues they may have with the SCCM clients trying to forward hardware inventory information to the SCCM site server.

This is a common scenario, sometimes we have an unique machine sending lots of HINV deltas to the SCCM site server, but not getting processed for some reason.

You may end up having an unique machine or maybe only a few machines with more than hundreds BADMIFs, and the number of files can be huge.

Let’s go through this three step process:

  1. Download Log Parser 2.2 from https://www.microsoft.com/en-us/download/details.aspx?id=24659 and install it;
  2. Open CMD as Administrator and navigate to Log Parser 2.2 installation path which by default is: C:\Program Files (x86)\Log Parser 2.2
  3. Here is the query that we need to run:
    1. LogParser.exe -o:CSV "select replace_chr(extract_token(Text,1,'><'),'>','') into BadMif_Computer_Name.csv from D:\SMS\Inboxes\auth\dataldr.box\BadMifs\*.mif where text like '//KeyAttribute<NetBIOS Name>%'" -q -headers:off

What the Log parser query does:

  • Basically it scans for all .MIF files under a specific directory, on this case "D:\SMS\Inboxes\auth\dataldr.box\BadMifs\", and it extracts the NETBIOS names from it.

Let’s break down this Log Parser query:

  • –o: It means how the output looks like, we have more options here, such as, XML, TEXTLINE, DATAGRID and so on;
  • Into *.csv file: This is going to generate the .CSV file under Log Parser installation path which again, by default is C:\Program Files (x86)\Log Parser 2.2;
  • replace_chr: Replaces each occurrence of a character in a given set of characters with a string;
  • extract_token(Text,1,'><'),'>',''): Splits the string into substrings at each point where the separator occurs, and returns the substring with the specified index. Here is where I remove all the unneeded characters from my string (//KeyAttribute<NetBIOS Name>%), since I’m only interested on the NETBIOS name itself;
  • from D:\SMS\Inboxes\auth\dataldr.box\BadMifs\*.mif: This is just the path I’m using for extracting the information, you can change it for the path where your BADMIFs are located in your environment (this could be wherever location you have your .MIF files);
  • where text like '//KeyAttribute<NetBIOS Name>%': This is exactly the string I’m looking to manipulate, since it is where the NETBIOS name is located under the MIF files, you can also use wildcards here;
  • -q: This for quiet mode;
  • -headers:off: I used this to remove the header information, as I’m using replace_chr and extract token parameters. If you don’t use this parameter, you will be able to see the header information as soon as the query runs and creates the .CSV file, which I prefer removing it.

We could simplify this query by running like this: LogParser.exe -o:CSV "select * into BadMif_Computer_Name.csv from D:\SMS\Inboxes\auth\dataldr.box\BadMifs\*.mif where text like '//KeyAttribute<NetBIOS Name>%'" but the problem is, we still need to spend some time by using a text editor such as PSPAD or others to remove those unneeded characters until we have what really matters, in this case, the NETBIOS name.

This is only one example of using Log Parser 2.2 with SCCM, we could use it in different scenarios, for example when we need to extract some specific information from SCCM component logs, DDRs, CCRs, etc… we have a lot of possibilities here!

I hope this helps!

Andre Della Monica
ConfigMgr Senior Premier Field Engineer – U.S Central Region