Parsing Logs

Here's a bit of code for parsing server logs into meaningful bits of information. It's based on the combined log format (which is discussed in greater detail elsewhere).

I'm fairly confident the function is sturdy: I've been using it for over a decade at the time of this writing, and on some sites that draw millions of hits per day, and it's held up extremely well.

readLog Function

The function for reading the log file is shown below. You will need to set a configuration variable $accesslog to indicate the location of your log file.

sub readLog{
  # read each log line and parse it - create an array of anything unusable
  open(DALOG,"$accesslog") || &scriptError(10); 
     # read in the log line
     $llrh = $llti = $llui = $lldt = $llhr = $llrc = $llbs = $llrs = $llua = "";
     $ll = $_;
     if ($ll =~ /(.*)\s(.*)\s(.*)\s\[([^\]]*)\]\s"([^"]*)"\s(.*)\s(.*)\s"([^"]*)"\s"([^"]*)"/){
        $llrh = $1;
        $llti = $2;
        $llui = $3;
        $lldt = $4;
        $llhr = $5;
        $llrc = $6;
        $llbs = $7; $llbs = 0 if ($llbs eq '-');
        $llrs = $8; $llrs = "" if ($llrs eq '-');
        $llua = $9; $llua = "" if ($llua eq '-');
        $lluu[@lluu] = $_;
     # break it down a bit more
     $llisp = $llddf = $llddd = $llddm = $llddy = $llrhm = $llrhv = "";
     $lldtf = $lldth = $lldtm = $lldts = "";
     $llrff = $llrfn = $llrfx = $llrfq = "";
     $llrsu =  $llrsf = $llrsq = "";
     if($llrh =~ /.*\.(.*)\.(.*)\Z/){$llisp = "$1.$2";}
     $lldt =~ s/\s.*\Z//;
     ($llddf,$lldth,$lldtm,$lldts) = split(':',$lldt);
     $lldtf = "$lldth:$lldtm:$lldts";
     ($llddd,$llddm,$llddy) = split('/',$llddf);
     ($llrhm,$llrff,$llrhv) = split(/\s/,$llhr);
     if ($llrff =~ /(.*)\?(.*)/){
        $llrfn = $1;
        $llrfq = $2;
        $llrfn =  $llrff;
    if ($llrfn =~ /.*\.(.*)/){
        $llrfx = $1;
    if ($llrs =~ /(.*)\?(.*)/){
        $llrsu = $llrsf = $1;
        $llrsq = $2;
        $llrsu = $llrsf =  $llrs;
    $llrsu =~ s/\Ahttps*\:\/\///;
    $llrsu =~ s/\/.*//;
    # HERE: Analyze the data.

The function above merely breaks apart log lines into meaningful information - it does not include any analysis of the resulting data.


If the server log file is not found or not readable, the function will throw a value of 10 to the scriptError subroutine.

If the function encounters a line it is unable to read, it will add it to an array of bad log lines @lluu to prevent it from corrupting the data.

Resulting Data

For each log line, the following data are parsed:

$llrh - Remote IP or Host
Example: adsl-75-43-223-116.dsl.lsan03.sbcglobal.net
This will return the remote IP address of the user, or the remote host's resolved name if host name look-ups are turned on. Useful for getting a raw head-count.
$llisp - User's ISP
Example: sbcglobal.net
This will parse the last two bits from the remote host, which is usually the gateway of the user's Internet Service Provider. Useful for a better assessment of the ISPs and companies from which your traffic originates.
$llti - Terminal ID
Example: -
Usually passed as a hyphen, as this field is very seldom used. Not useful for anything.
$llui - User ID
Example: -
For parts of the site that are password protected using standard HTTP authentication, this will reflect the username. Otherwise a hyphen will be passed. Useful for seeing which accounts are active and, coupled with the remote IP, whether passwords are being shared of have been compromised.
$lldt - Datetime
Example: 20/Mar/2010:17:00:31
This is the date and time string from the server, removing the GMT offset (which is the same for all log lines). Not particularly useful unless broken into components.
$llddf - Date: full
Example: 20/Mar/1995
This gives the day/month/year, which is useful for daily traffic analysis.
$llddd - Date: day
Example: 20
The day only, which is useful to identify patterns and trends in your traffic.
$llddm - Date: month
Example: Mar
The month only, which is not useful unless you're comparing several months' worth of data.
$llddy - Date: year
Example: 1995
The year only, which is not useful unless you're comparing several months' worth of data, which is highly unlikely.
$lldtf - Time: full
Example: 17:00:31
The full time signature, in hours:minutes:seconds. Military time is used (so 17:00 is 5:00 pm). This is not particularly useful until broken into components.
$lldth - Time: hh
Example: 17
The hour only, which is useful to identify patterns and trends in your traffic.
$lldtm - Time: mm
Example: 00
The hour only, which might be useful to identify patterns and trends in your traffic if you have a high-volume site and wish to monitor minute-to-minute fluctuations.
$lldts - Time: ss
Example: 31
The second only, which is not particulary useful.
$llhr - HTTP Request
Example: GET /cgi/myscript.pl?key=value&key=value HTTP/1.1
The full HTTP request details - method, URI, and version. This is not particularly useful until broken into components.
$llrhm - Request Method
Example: GET
The HTTP request method only.
$llrhv - HTTP Version
Example: HTTP/1.1
The HTTP version only, which is virtually always "HTTP/1.1".
$llrff - File: Full
Example: /cgi/myscript.pl?key=value&key=value
The name of the file only, which should be broken down into file and query string to avoid a lot of one-off data.
$llrfn - File: File only
Example: /cgi/myscript.pl
The file name only, excluding the query string, useful for determining which resources are the most/least popular
$llrfx - File: Extension
Example: pl
The extension only, useful in determining which kinds of resources are being used (and, coupled with referrer, detecting bandwidth thieves)
$llrfq - File: Query String
The query string sent. This is not useful as an aggregate, but may be analyzed on a file-by-file basis (for example, to see what input is most common for a particular script.
$llrc - Response Code
Example: 200
Indicates the HTTP response code, which can help identify files that are not being completely downloaded, bad references, etc.
$llbs - Bytes Sent
Example: 14677
The number of bytes referred. THis can be aggregated to assess your bandwidth consumption or cross-referenced with referrers to detect abuse of your resources.
$llrs - Referrer
Example: http://www.ocmoto.com/index.php?topic=26173.0
The URL of a page that referred the user to the current one. Since it includes query-string data, it is not useful to aggregate.
$llrsu - Referrer: URL
Example: www.ocmoto.com
The top-level URL only. Useful for detecting which Web sites are sending traffic to you and excluding your own site from certain analyses.
$llrsf - Referrer: File
Example: http://www.ocmoto.com/index.php
The referring address, stripped of query string, to help aggregate data about sites that send users to yours, or click-trails within you own site.
$llrsq - Referrer: Query String
Example: topic=26173.0
The query string of the referrer, useful in determining what keywords users are entering into search engines to find your site.
$llua - User-Agent
Example: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
Passed by the user's software (web browser), this is useful in assessing what software (web browsers) are being used to view your site or eliminating "false traffic" from crawlers and bots. This value is highly variable and easily forged.


The function provided merely breaks down a log entry into smaller bits of data for further analysis. To get any value from it, you will still need to write the code that does the analytical tasks - but this function should save you the effort of parsing the component data.

And finally

This is online for my own use and reference, but feel to snag it if you think it would be useful. It's a trifle and I don't expect to be credited or compensated in any way ... but nor does it come with any sort of guarantee.