Readme for analog 3.32

Introduction

Analog is a program which analyses logfiles from WWW servers. It works on almost any operating system. It is designed to be fast and to produce attractive statistics. It's free software.

Beginners should read the licence followed by the section on Starting to use analog.

This Readme describes analog3.32. For the latest version of analog, see the analog home page. For examples of the output see

Analog is free software, but its use is covered by a licence. You must agree to the terms of the licence before using the program.

This is a version of the Readme in one page. If you're reading it on line, you might prefer the version on several smaller pages. There is an index at the end of this document.

Now you can go to


Starting to use analog

The only thing you need to run analog is to be able to read the logfiles which are produced by your web server. If you don't know what these logfiles are and where to find them, contact your internet service provider (ISP) or system administrator. Analog doesn't write the logfiles: it only reads them.

If you log in to your ISP's machine from your home machine, you have two options. If you have the right permissions, you can run analog on your ISP's machine. Otherwise, you can download (e.g., ftp) the logfiles from their machine to yours, and then run analog on your machine.

Once you've downloaded the right version of analog for your computer from the analog home page (or a mirror site), you need to know how to set it up and run it. This is very easy, but the instructions are slightly different depending which platform you're using.

If you can't manage to set up analog after reading the instructions, send a message to the analog-help mailing list.


Starting to use analog on a Mac

When you download the Mac version of analog, it should unpack itself. (If it doesn't, you might have to run StuffIt Expander on it). You should then find in the analog directory a configuration file called analog.cfg and the analog application itself, as well as the Readme, the Licence (which you must read and agree to before using analog) and a couple of other files. When you double-click on the analog icon, it will run in its own window, and produce an output file called Report.html. (For help in interpreting the output, see What the results mean.) The window will then close if there weren't any warning messages, or stay open for you to read them if there were.
You can configure analog by putting commands in the configuration file, analog.cfg. One command you will need straight away is
LOGFILE logfilename    # to set where your logfile lives
The logfile must be stored locally -- analog won't use FTP or HTTP to fetch it from the internet. There's a sample logfile supplied with the program.

There's a list of basic commands later in the Readme. Also there are a few to get you started in the configuration file already, but there are lots of others available. You can read about all the commands in the section on customising analog.


Another way to start analog is to drag a logfile onto the analog icon, in which case analog will try to analyse it, or drag a configuration file onto the icon, in which case analog will use the commands in that configuration file. (Analog detects whether it's a configuration file or a logfile by whether it starts with a # or not.) This enables you to create different reports without having two copies of the application.

One note: on other platforms, there is another way to give options, via command line arguments. You'll see these mentioned in this Readme from time to time, but the Mac doesn't have a command line, so ignore these.

If you want to compile your own version of analog (it's written in C), or just to read the source code, it's available from the analog home page. (It's the same source code for all versions).


Starting to use analog under Windows

This describes how to set up analog under Windows 95, 98 or NT. Windows 3.1 users will have to read the section on other platforms instead.

When you've downloaded analog, and either you or your browser has unzipped it, you will find in the analog folder a configuration file called analog.cfg and the analog executable itself, as well as the Readme, the Licence (which you must read and agree to before using analog) and a couple of other files.

(Some unzip programs are broken, and do not create folders when they should. If you don't have a folder called lang inside the analog folder, create one and put all the files called *.lng and *.tab into it.)

There are two ways of running analog. You can either run it from Windows (by single-clicking or double-clicking on its icon, depending on your setup), or you can run it from the DOS command prompt (under Start-Programs). If you run it from Windows, it will create a DOS window to run in. When it's finished, it will produce an output file called Report.html. The first time you run it, this may all happen almost instantly. For help in interpreting the output, see What the results mean.


You can configure analog by putting commands in the configuration file, analog.cfg. One command you will need straight away is
LOGFILE logfilename    # to set where your logfile lives
The logfile must be stored locally -- analog won't use FTP or HTTP to fetch it from the internet. There's a sample logfile supplied with the program.

There's a list of basic commands later in the Readme. Also there are a few to get you started in the configuration file already, but there are lots of others available. You can read about all the commands in the section on customising analog.

In some ways, it's easier to run analog from the DOS command prompt, because you get to see any error or warning messages more easily. Also, if you run analog from the command prompt, there is another way to give options, via command line arguments, given on the command line after the program name. These are just shortcuts for configuration file commands.

If you want to compile your own version of analog (it's written in C), or just to read the source code, it's available from the analog home page. (It's the same source code for all versions).


Starting to use analog under OS/2

When you've downloaded analog, and either you or your browser has unzipped it, you will find in the analog directory a configuration file called analog.cfg and the analog executable itself, as well as the Readme, the Licence (which you must read and agree to before using analog) and a couple of other files. You can run analog by just typing analog. It should produce an output file called Report.html. For help in interpreting the output, see What the results mean.
You can configure analog by putting commands in the configuration file, analog.cfg. One command you will need straight away is
LOGFILE logfilename    # to set where your logfile lives
You need to use \ not / as the directory separator in the logfile name. The logfile must be stored locally -- analog won't use FTP or HTTP to fetch it from the internet. There's a sample logfile supplied with the program.

There's a list of basic commands later in the Readme. Also there are a few to get you started in the configuration file already, but there are lots of others available. You can read about all the commands in the section on customising analog.

There is one other way to give options to analog, via command line arguments, given on the command line after the program name. These are just shortcuts for configuration file commands.

If you want to compile your own version of analog (it's written in C), or just to read the source code, it's available from the analog home page. (It's the same source code for all versions). There are instructions about compiling on another page.


Starting to use analog on other platforms

If you're not using one of the platforms for which a precompiled version of analog is available, you'll have to compile your own version from the source. But don't worry -- it's written in standard C throughout, so it will compile out of the box on most platforms. (The source code is the same for all platforms.)

First, you should look at the file analhead.h. These are all user-settable options, but most of them you can override later. However, you do need to check the first few options in the file.

When you have done that, you need to compile the program. How to do that depends on which operating system you're using.


Compiling under Unix. First edit analhead.h as described above. Then just type
make
to compile the program. On most systems, that will be sufficient. If it fails to compile, have a look in the Makefile to see if there's anything that you need to change to suit your configuration, and try again. It says in that file what to do. In particular, Solaris 2 (SunOS 5) users need to change the LIBS= line (and may need to change the DEFS= line -- see below).

If you haven't got gcc, you will need to change the compiler - try acc or cc instead. If it still doesn't compile, try DEFS=-DNODNS to ignore the DNS lookup code.

There is a known problem with HP-UX 10 and some versions of gcc. If it complains about an error in the <sys/stat.h> library, you need to upgrade to gcc version 2.7.2.3 or later, or use HP's cc compiler. HP's compiler is not an ANSI C compiler by default, so you need to specify -Ae in the CFLAGS to tell the compiler to use ANSI C.

SunOS 4's cc and gcc don't have the necessary header files for ANSI C. If you have the ANSI C compiler acc, use that. Otherwise use the DEFS given in the Makefile.

SunOS 5 users need to change the LIBS= line in the Makefile. Also, this OS sometimes seems to have a broken strcmp() function. If you get an "illegal instruction" error when running analog, compile it with the -DNEED_STRCMP in the DEFS= line.

Compiling under VMS. First edit analhead.h as described above. Then type

MMS
to compile analog. Under VMS 7.0 & 7.1, there is a VMS bug that stops analog compiling. The fix is to add "/define=(_VMS_V6_SOURCE)" to the cflags definitions at the top of the file descrip.mms.

Compiling under Acorn RiscOS. The Makefile is called Make.Risc, and you will have to rename it to Makefile before running make. Also you have to make directories called C, H and O, and move the sources files into the appropriate directories: e.g., alias.c must be renamed C.alias. And you will find that there are some filenames in the header file analhead.h that you want to change to fit into the RiscOS directory structure.

Compiling under OS/2. Although there is a precompiled version of analog for OS/2, if you want to compile your own you will need the EMX package. You should edit the Makefile to have OS=OS2 and LIBS=-lsocket. Then after editing analhead.h and running Make, you need to run the command

EMXBIND -b ANALOG
to generate the analog.exe executable.
After you've made the program, just type
analog
to run the program. (Or ./analog if for some reason . isn't in your $PATH.)

You can configure analog by putting commands in the configuration file, which is called analog.cfg by default. Two commands you will need straight away are

LOGFILE logfilename      # to set where your logfile lives
OUTFILE outputfile.html  # to send the output to a file instead of the screen
The logfile must be stored locally -- analog won't use FTP or HTTP to fetch it from the internet. There's a sample logfile supplied with the program.

There's a list of basic commands later in the Readme. Also there are a few to get you started in the configuration file already, but there are lots of others available. You can read about all the commands in the section on customising analog. For help in interpreting the output, see What the results mean.

There is one other way to give options to analog, via command line arguments, given on the command line after the program name. These are just shortcuts for configuration file commands.


Customising analog

This section is the bulk of the Readme. It tells you all the commands you can give to analog, and what they all do. First there's a list of which is as much as beginners need to read, until they want to do something which isn't listed there, or are curious to find out what they could do.

The following section is a technical (i.e., dull but important) section on the

Then there's documentation on all the configuration commands in the following categories. Analog has over 200 configuration commands and over 40 command line options, so sometimes these sections turn into lists of commands. But here's where you find out everything you can do with analog.

Later there's an index of all the commands and topics, and also a quick reference containing the syntax of all the commands and examples.


Basic commands

Here is a list of basic configuration commands to get you started with analog. These commands should be added to your configuration file, analog.cfg, as explained in the section on Starting to use analog. We'll see all the possible configuration commands in later sections. Or you can read a summary of the commands which control each report in the section on Analog's reports.
Analog reads logfiles produced by your web server, and produces an output file based on the data in them. So you need to know how to specify which logfile to read, and which file to send the output to. The relevant commands look like
LOGFILE my_logfile
OUTFILE output.html
where, of course, you should substitute the names of the files you want to use. The logfile must be stored locally -- analog won't use FTP or HTTP to fetch it from the internet, so you may have to fetch it yourself first. You can read several logfiles by giving several logfile commands, or by giving a comma-separated list, or by using wild cards in the logfile name. So, for example, if you use the commands
LOGFILE new1.log,old*.log
LOGFILE new2.log
analog will analyse the logfiles new1.log, new2.log, and all the old logfiles. Analog will recognise logfiles in several different formats. You can read more about this in the section on Choosing a logfile.
There are a couple of other commands you need to know right at the beginning, not because they're particularly important in themselves, but because the output will look silly if you don't know them. First, you need to know how to put your own organisation's name and URL at the top of the report. For this, you need two commands such as
HOSTNAME "Spam Widgets Inc."
HOSTURL http://www.spam-widgets.com/

If you have broken images in the output instead of graphs, you need to say in which directory on your server the images are stored. You do this by a command like

IMAGEDIR /analog/images/
(The images are distributed with the program - you will have to move them to whichever directory you choose.)
Next you will want to know how to turn individual reports on and off. Analog can produce 27 different reports, but here are the most important. Try them and see what happens. You can turn each report on with an ON command, or off with an OFF command. You can also use the commands ALL ON and ALL OFF to turn all reports on or off.
MONTHLY ON    # one line for each month
WEEKLY ON     # one line for each week
FULLDAILY ON  # one line for each day
DAILY ON      # one line for each day of the week
HOURLY ON     # one line for each hour of the day
GENERAL ON    # the General Summary at the top
REQUEST ON    # which files were requested
FAILURE ON    # which files were not found
DIRECTORY ON  # directory report
HOST ON       # which computers requested files
DOMAIN ON     # which countries they were in
REFERRER ON   # where people followed links from
FAILREF ON    # where people followed broken links from
BROWSER ON    # which browsers people were using
FILETYPE ON   # types of file requested
SIZE ON       # sizes of files requested
The referrer and browser reports will only appear if your server records the necessary information. You can configure lots of other things about each report, such as how many rows are listed, which columns are included, and how the reports are sorted. For example, the command
REQINCLUDE pages
tells analog only to list pages, rather than all files, in the request report. You can read a summary of all the reports and the commands which control them in the section on Analog's reports.
You can have the output in several different languages, by using a LANGUAGE command. For example, the command
LANGUAGE FRENCH
will give you the output in French. The available languages at the moment are CATALAN, CHINESE, CZECH, DANISH, DUTCH, ENGLISH, US-ENGLISH, FINNISH, FRENCH, GERMAN, GREEK, HUNGARIAN, ICELANDIC, ITALIAN, JAPANESE, KOREAN, LATVIAN, LITHUANIAN, NORWEGIAN (Bokmål), NYNORSK, POLISH, PORTUGUESE, BR-PORTUGUESE, ROMANIAN, RUSSIAN, SERBOCROATIAN, SLOVAK, SLOVENE, SPANISH, SWEDISH and TURKISH. See the section on Configuring the output for how to download, or even translate, new languages.
Two other common things you might want to do are to alias files or hosts (for example, to tell analog that two different filenames are really the same file), or to include or exclude certain files, hosts or dates (to ignore accesses from your site, for example, or to do an analysis only of a certain subdirectory or a certain time period. For these, see the later sections on Aliases and Inclusions and exclusions.

As I said, these are only a few of the commands available. To find out about all the commands, you'll have to read the remaining sections of the Readme, starting with a short section on the syntax of configuration commands.


Syntax of configuration commands

This section describes how analog finds configuration commands, and what the syntax of a configuration file should be. The syntax of individual commands is given in the Quick reference section later.
When analog starts up, it first reads options from configuration files and the command line (assuming that you are running analog from an operating system with a command line). Defaults for many of these options will have already been set in the file analhead.h at the time the program was compiled. So if you compile your own version of analog, rather than downloading a pre-compiled executable, you can also set some options in that file before compiling. Those options are all documented there.
The first file which analog reads is the default configuration file, normally called analog.cfg. You can stop this file being read by specifying the option -G on the command line. Then the command line arguments are read, in the order in which they appear. Finally, the mandatory configuration file is read, if you specified one when you compiled the program. This is a configuration file which cannot be overridden by the user: if it is not found, analog exits immediately. This allows a system administrator to prevent users analysing certain files or producing certain reports, for example. However, note that the only certain way to prevent users analysing things is to deny them access to the logfile. Otherwise there is nothing to stop them analysing the logfile using another copy of analog or another program.
You can include another configuration file from the command line by using a command like +gother.cfg. (Note that there is no space between +g and the filename; this is true of all command line arguments.) You can also include another configuration file from within a configuration file by a command like
CONFIGFILE other.cfg
The commands in the other configuration file are read immediately, in order. The program then continues reading the command line or calling configuration file where it left off. Note that reading an alternative configuration file does not stop the default configuration file being read as well. To do that you have to specify -G as well as the +g command.

In the Mac version, you can start up a program with a particular configuration file instead of the default one by dragging the configuration file onto the analog icon. The file must start with a #.

You can also specify any configuration command on the command line even if it doesn't have a command line abbreviation, by use of the +C command. For example, +C"UNCOMPRESS *.gz gzcat" will include that command.


Here are the syntax rules for configuration commands. A configuration file contains several commands on separate lines; any text after a hash (#) on a line is ignored as a comment. Each command consists of the command name followed by one or two arguments. An argument to a command may optionally be placed in single or double quotes or parentheses, and it must be if the argument contains a hash or a space. So, for example, here are some valid configuration commands.
DAILY      OFF   # We don't want a daily summary
FULLDAILY  "ON"  # We want a full daily report instead 
HOSTNAME (Spam Widgets Inc.)  # Spaces, so quotes or brackets needed
Generally later commands override earlier ones if you can have only one of that thing (e.g., for the OUTFILE), or supplement them if you can have several (e.g., for the LOGFILE, because you can read several logfiles).
If all the options seem a bit confusing, just run
analog -settings [other options]
or include PRINTVARS ON in the configuration commands. That will tell you what the values of all the variables will be, based on the defaults in analhead.h, the configuration commands, and the command line options. If you're on Unix or Windows, remember that you can send the output to a file with
analog -settings > file

Choosing a logfile

The basic command for selecting a logfile is
LOGFILE logfilename
or just to put the logfile name on the command line without any arguments, e.g., analog logfilename. A - sign or the word stdin is interpreted as standard input: this is useful on Unix systems for constructing pipes. All logfiles must be within your computer's file system (on disk, or at least mounted under Unix, or on a mapped drive under NT) -- analog won't use FTP or HTTP to fetch them from the internet. In the Mac version, you can also analyse a particular single logfile by dragging it onto the analog icon.

You can have several LOGFILE commands. You can include wildcards in the logfile name (but not necessarily in the directory name: this is system-dependent), and you can use a list of logfiles separated by commas (without spaces). So the following commands would tell analog to read logfile1, c:\logs\logfile2, and all files ending in .log:

LOGFILE logfile1,*.log
LOGFILE c:\logs\logfile2
Or if you were on a Mac, you might use something like
LOGFILE "Hard Drive:Internet Applications:Analog:Logs:*"
The LOGFILE commands are cumulative, except that any logfiles on the command line or in user-specified configuration files override any in the default configuration file, and are themselves overridden by any in the mandatory configuration file. There is also the special command
LOGFILE none
which erases the list of logfiles specified so far.
Analog knows about several different types of logfile. By default it will attempt to see if your logfile is of one of the types it knows about, based on the first line. The types it can usually diagnose are the common log format, the NCSA combined format, referrer log and browser log, the W3 extended log format, the Microsoft IIS format, the Netscape format, the WebSTAR format and the WebSite format. Examples of all these formats are given at the end of this section. If you have debugging on, analog will report what type of logfile it thinks yours is.

If your logfile is not in one of the standard formats, you will probably still be OK, because it is possible to tell analog about other formats using a LOGFORMAT command. This is explained in the next section. But most users don't ever need to know about this because they have logfiles in a standard format. So the best thing to do is just to try analysing your logfile and see if analog will understand it. If it does, you don't need to worry about LOGFORMATs.

If analog can't understand your logfile, it will warn you that it can't detect the format, or possibly that it found a lot of corrupt lines. There are basically four reasons why this might happen:

  1. Since analog tries to deduce the format based on the first line of the logfile, it could just be that the first line is corrupt. In this case, you could tell analog the format, or you could just fix the first line.
  2. For the same reason, if the format changes midway through the log, analog will count the remaining lines as corrupt. In this case, you will find that your report contains a partial analysis but with a large number of corrupt lines too. You will need to give analog two LOGFORMAT commands to tell it about the two different formats.
  3. Some log formats are not very well designed and analog can't analyse them reliably. In this case it will give up rather than risk doing a bad job, usually with a helpful message. So if you believe that your logfile is in a standard format, but analog still can't analyse it, you should read the notes on all the built-in formats below where some common problems with those formats are described.
  4. Finally, some logfiles really aren't in one of the standard formats. In this case you will need to read the next section and learn how to tell analog about your format.

There's also a second argument to the logfile command, which specifies a prefix to add to all the filenames in that logfile. This is useful if you've got several different servers or virtual hosts, when the same filename may occur on each of the servers. The argument can contain a %v, and the name of the virtual host will then be inserted at that point. For example,
LOGFILE log1,log2 http://www.%v.mydomain.com
would translate a filename /file.html with virtual host host1 in log1 or log2 to http://www.host1.mydomain.com/file.html. If you are using the second argument to the LOGFILE command, you will probably want to use the SUBDIR command as well.

If %v is included in the argument and the logfile line doesn't have a virtual host, that line will be marked as corrupt. If VHOSTLOWMEM 3 is specified, the %v's will not be translated and will just appear as %v in the output.


It is often convenient to store logfiles compressed to save disk space. Analog on the Mac can read logfiles compressed using gzip. And analog on Unix, Win32, and VMS 7.0 and above can read compressed logfiles provided that you use an UNCOMPRESS command to say how to uncompress them. You need to supply the types of file that you want to uncompress in a comma-separated list, together with the name of a command that will uncompress the files to standard output (rather than to a file). For example, on Unix you might use
UNCOMPRESS *.gz,*.Z  /usr/bin/gzcat
whereas on Windows NT, you might use
UNCOMPRESS *.gz "c:\Program Files\gzip\gzip -cd"
and on VMS, it could be
UNCOMPRESS *.LOG-GZ;*  "gunzip -c"
This would be a suitable command to include in the default configuration file.

If analog determines when it starts to uncompress a logfile that that file isn't wanted for the analysis, two undesirable things can happen. Either the program might pause until the logfile is fully uncompressed, or there might be a "broken pipe" error reported. This is system dependent, and out of analog's control.


Logfile formats

Here is a summary of the various logfile formats which analog knows about. To illustrate them, I have used the same (fictional) request as it might be recorded in the different formats.

The common logfile format is written by most servers. Its lines look like

jay.bird.com - fred [25/Dec/1998:17:45:35 +0000] "GET /~sret1/ HTTP/1.0" 200 1243
Some versions of Microsoft software have a buggy version of this with an extra quote mark before the HTTP like this:
jay.bird.com - fred [25/Dec/1998:17:45:35 +0000] "GET /~sret1/ "HTTP/1.0" 200 1243
Analog will understand these, but (as with any two formats) it will reject lines if the format changes half way through.
The NCSA referrer log looks like
[25/Dec/1998:17:45:35] http://www.site.com/ -> /~sret1/
and the browser (or agent) log looks like
[25/Dec/1998:17:45:35] Mozilla/2.0 (X11; I; HP-UX A.09.05)
In the referrer log, the date can be omitted.
The NCSA combined log is the same as the common log, except that it has the referrer and browser on the end in quotes, like this:
jay.bird.com - fred [25/Dec/1998:17:45:35 +0000] "GET /~sret1/ HTTP/1.0" 200 1243
"http://www.site.com/" "Mozilla/2.0 (X11; I; HP-UX A.09.05)"
except all one line. If you are using the Apache server, you can generate this with the mod_log_config module, using the command
LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""
It is usually better to use the combined log than separate logs, because it stores more information in less space.
The Microsoft IIS logfile looks like
192.64.25.41, -, 25/12/98, 17:45:35, W3SVC1, HOST1, 192.16.225.10,
30, 303, 1243, 200, 0, GET, /~sret1/, -,
(except all on one line). However, the format is extremely badly designed, in that the date follows local conventions: in other words, in North America the above example would have the date 12/25/98 instead. Analog will diagnose which form the logfile is in if possible: but if both the date and the month are at most 12, there is no way to tell which format it is. In this case, it will advise you to use the command LOGFORMAT MICROSOFT-NA for North American date format, or LOGFORMAT MICROSOFT-INT for international date format. In some countries, the date will not be in either of these formats, in which case you need to write your own LOGFORMAT command.

There are also various third-party extensions to the Microsoft format to include, for example, the browser and referrer. But they all do it in different ways, so analog can't automatically diagnose them, and again, you need to write a LOGFORMAT command for them.


The WebSite format looks like
12/25/98 17:45:35  jay.bird.com  host1  Server  fred  GET  /~sret1/
http://www.site.com/    Mozilla/2.0 (X11; I; HP-UX A.09.05)  200  1243  2178
(except all on one line, and with the fields separated by tabs). It suffers from the same problem with ambiguous dates as the IIS logfile (above), so again you might have to use LOGFORMAT WEBSITE-NA or LOGFORMAT WEBSITE-INT, or even have to write your own LOGFORMAT command.
The W3 extended log, the Netscape log, and the WebSTAR log can be recognised because they must include at or near the top a line telling analog what format to expect on subsequent lines. (They may also contain later lines changing the format). If the header line is missing, analog won't be able to interpret the subsequent lines and so won't be able to analyse the logfile. In this case, you will have to either replace the missing header or use a LOGFORMAT command to tell analog your format.

If analog finds that the header line is corrupt, it will usually tell you what was wrong with it. Here are two common problems. First, the header line musn't contain the same item twice, even under two different names. (This is because analog doesn't know which one you want to use.) If it does contain the same item twice, you will have to use a LOGFORMAT command to tell analog which one you want to ignore.

Secondly, you're not allowed the time without the date or vice versa -- in particular, having the date just at the top of the logfile is not sufficient; you must have it on each line. Microsoft servers produce extended logs with the date only at the top. But if the date changes during the logfile, the server doesn't then write a new date line. For this reason analog can't analyse such logfiles safely. There are some programs on the helper applications page to put the date on each line. If you already have such a logfile you might want to use one of these programs, but they have to assume that the date doesn't change during the logfile, so it would be safer to tell your server to log in a better format in future.

The extended log is described at http://www.w3.org/TR/WD-logfile.html. Its header line looks like

#Fields: date time cs-uri
In the rest of the logfile, the fields can be separated by spaces or tabs. There is also Microsoft's attempt at the extended format -- unfortunately they didn't read the spec., so they didn't enclose the browser and referrer in quotes, and they replaced spaces in the browser name with +'s. Extended logs always record the time in GMT, so you will probably need to use a LOGTIMEOFFSET command to convert to your local timezone.

The WebSTAR file has a header line like

!!LOG_FORMAT DATE TIME RESULT URL BYTES_SENT HOSTNAME
In the rest of the logfile, the fields are separated by tabs. Some other Mac servers also use the WebSTAR format, or something looking like it. Analog will understand these too.

Finally, the Netscape header line looks like

format=%Ses->client.ip% [%SYSDATE%] "%Req->reqpb.clf-request%"
%Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%

Specifying a log format

This section is about how to tell analog the format of your logfile. I'll assume that you've read the previous section, and have decided that you need to specify the log format explicitly, because analog can't detect the format of your logfile itself for some reason.

The basic command to specify a log format looks like

LOGFORMAT format
-- we'll discuss what the formats can be in a minute. The LOGFORMAT command only applies to logfiles specified with a LOGFILE command later in the same configuration file. So you must put the LOGFORMAT above the LOGFILE to which it refers. This way, different logfiles can have different formats, like this:
LOGFILE log0
LOGFORMAT format1
LOGFILE log1
LOGFORMAT format2
LOGFILE log2
LOGFILE log3
In this example, log1 is in format1, log2 and log3 are in format2, and log0 isn't in either format -- analog will try and detect which format it's in.
If you're using an Apache web server, you can use APACHELOGFORMAT as an alternative to plain LOGFORMAT, followed by your LogFormat from your Apache httpd.conf file. For example, common format could be represented by
APACHELOGFORMAT (%h %l %u %t \"%r\" %s %b)
(The parentheses are needed because the argument contains spaces.) Analog understands all Apache log formats, with the exception that it won't parse Apache's "%...{format}t" construction: if you have this construction, you will have to use ordinary LOGFORMAT instead.
The possible formats for use with the LOGFORMAT command are of two types. First there are some symbolic words, and then there are log format strings. We'll look at the words first.

There are format words for all the built-in formats analog knows about. You might need one of these words if your logfile is in a standard format, but analog can't detect which format it's in for some reason; for example, maybe the first line is corrupt; or maybe analog can't tell whether you're using North American or international dates. So for example

LOGFORMAT COMMON
will select common format; you can also have COMBINED, REFERRER, BROWSER, EXTENDED, MICROSOFT-NA (North American date format), MICROSOFT-INT (international date format), WEBSITE-NA, WEBSITE-INT, MS-EXTENDED (Microsoft's attempt at extended format), MS-COMMON (a buggy version of common format in some versions of Microsoft software), NETSCAPE or WEBSTAR. All these formats were defined at the end of the previous section. You can also use the special word AUTO to return to automatic detection.

If your logfile is not in one of the recognised formats, you can tell analog about your format using a log format string. You only ever need this if your logfile has lines which are not in one of the standard formats. And even if it isn't in a standard format, if you're using the Apache web server, you will find APACHELOGFORMAT (above) easier.

The format string consists of a template for the logfile line, with the various fields and special characters replaced by codes as follows. Please note that these codes are case sensitive -- for example, %b is completely different from %B!

%S
host (computer making the request)
%r
file requested
%B
browser
%A
browser with +'s instead of spaces
%f
referrer (URL referring to the file)
%u
user (tip: a cookie can usefully be defined as %u too)
%v
virtual host (also called virtual domain)
%d
day of the month
%m
month in digits
%M
month, three letter English abbreviation
%y
year, last two digits
%Y
year, four digits
%h
hour of the day
%n
minute of the hour
%a
a or A for am, or p or P for pm, if %h is in the 12-hour clock. (So to match "am" you need %am and to match "AM" you need %aM)
%U
"Unix time" (seconds since beginning of 1970, GMT)
%b
number of bytes transferred
%c
HTTP status code
%C
Special code, specific to particular servers
%q
query string (part of filename after ?, if recorded in a separate field)
%j
junk: ignore this field (field can be empty too)
%w
white space: spaces or tabs
%W
optional white space
%%
% sign
\n
new line
\t
tab stop
\\
single backslash
So for example, the common log format, which looks like
jay.bird.com - fred [25/Dec/1998:17:45:35 +0000] "GET /~sret1/ HTTP/1.0" 200 1243
could be represented by the LOGFORMAT command
LOGFORMAT (%S - %u [%d/%M/%Y:%h:%n:%j %j] "%j %r %j" %c %b)
In other words, it's just the sample line but with the hostname replaced by %S, the username by %u etc. (The parentheses are needed because the argument contains spaces.) Or take another example: if you had lines which looked like
Fri 25/12/98 5:45pm, /~sret1/, jay.bird.com, 200, 1243, http://www.site.com, Mozilla/2.0 (X11; I; HP-UX A.09.05)
you could use the format
LOGFORMAT (%j %d/%m/%y %h:%n%am, %r, %S, %c, %b, %f, %B)

A logfile can sometimes have lines in several different formats. So you can specify several LOGFORMAT commands in a row, and they will all apply to the next logfile. This is also useful if the format of your logfile changes half way through. So in this example:
LOGFORMAT COMMON
LOGFORMAT COMBINED
LOGFILE log1
LOGFORMAT (%j %d/%m/%y %h:%n%am, %r, %S, %c, %b, %f, %B)
LOGFILE log2
LOGFILE log3
log1 has lines in both common and combined format, whereas log2 and log3 have lines just in the format in the previous example.

If you specify several formats, analog tries to match each line to the first format first, then if that fails the next, and so on, so the order of the formats is important. Usually you want to specify the most common one first, to minimise the time spent trying to match lines to inappropriate formats.


I suggested above that any logfile which doesn't have a LOGFORMAT command earlier in the same configuration file is auto-detected. But this isn't quite true. Actually such logfiles get a special format called the default log format. The default format starts off as auto-detection, but you can change it if you want with the DEFAULTLOGFORMAT command. This command works exactly the same as the LOGFORMAT command -- it understands the same formats, and if you have several DEFAULTLOGFORMAT commands, they accumulate in the same way. The difference is that they don't need to be put in any particular place. (There is also APACHEDEFAULTLOGFORMAT, analogous to APACHELOGFORMAT.)

So let's go back to the first example:

LOGFILE log0
LOGFORMAT format1
LOGFILE log1
LOGFORMAT format2
LOGFILE log2
LOGFILE log3
Here log0 actually gets the default log format. If there are no DEFAULTLOGFORMAT commands, the default will be auto-detection. But if there are DEFAULTLOGFORMAT commands, even in another configuration file, that will be the format of log0.

The times you need to use the DEFAULTLOGFORMAT instead of the LOGFORMAT are if you want to change the format of logfiles which aren't given in a LOGFILE command -- for example, ones specified on the command line, or dragged onto the program icon on a Mac, or compiled in. It is also useful to use the DEFAULTLOGFORMAT if your logfiles are always in the same format, so that you don't have to worry about putting in enough LOGFORMATs in the right places.


A couple more technical details and tips about LOGFORMAT commands.

The "Unix time", %U, is always recorded in GMT. So you will probably need to use a LOGTIMEOFFSET command to convert to your local timezone. Also, it's just the integer part of the time, so if you have decimals you will have to use %U.%j .

The log formats which analog can handle are those which are known as instantaneously decipherable: in practice, this means that the character which terminates a string can never occur in the string. So for example, in common format, which looks like

LOGFORMAT (%S - %u [%d/%M/%Y:%h:%n:%j %j] "%j %r %j" %c %b)
if the hostname ever contained a space, the line would be marked as corrupt, because analog terminates the host at the first space, not at the first occurrence of space-dash-space, and then the rest of the line wouldn't match. Of course, hostnames should never contain spaces, so this shouldn't be a problem. There are a couple of other restrictions: if there is any date or time information, then the year, month, date, hour and minute must all be present: and the same information may not occur twice in the format (so you can't have both %m and %M, for example, because these both represent the month; make one of them a %j to have it ignored).

Sometimes you need to read one of the fields in a logfile, but not analyse it. For example, if you have a separate common log and referrer log, the referrer log might look like

http://guide-p.infoseek.com/Titles -> /~sret1/analog/
But the requests for /~sret1/analog/ would already have been counted when reading the main logfile, so you don't want to count them again now. You get round this by specifying a * in that item in the format string, like this:
LOGFORMAT (%f -> %*r)

A tip: sometimes it is more efficient to specify two or more adjacent fields to ignore with a single %j, as long as the whole group ends with a recognisable character. So common format is more efficiently specified as

LOGFORMAT (%S - %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b)
-- in the date and time [25/Dec/1998:17:45:35 +0000], the seconds and the timezone can be ignored with a single %j, extending until the close-bracket.

Another tip: %j can also be used to ignore whole lines, rather than just fields analog doesn't use. For example, the extended log format ignores lines beginning with # by using

LOGFORMAT #%j
and the Microsoft format ignore lines corresponding to FTP requests with
LOGFORMAT (%*S, %*u, %m/%d/%y, %h:%n:%j, %j)
If those formats had not been used, the lines would have been incorrectly marked as corrupt.
Finally, both for reference and as examples, here is a list of all the fixed formats that analog understands, together with the example lines from the previous section and their built-in definitions.
Common format, LOGFORMAT COMMON
jay.bird.com - fred [25/Dec/1998:17:45:35 +0000] "GET /~sret1/ HTTP/1.0" 200 1243
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b)
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r" %c %b)
Microsoft common format, LOGFORMAT MS-COMMON
jay.bird.com - fred [25/Dec/1998:17:45:35 +0000] "GET /~sret1/ "HTTP/1.0" 200 1243
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%w"HTTP%j" %c %b)
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r" %c %b)
Combined log, LOGFORMAT COMBINED
jay.bird.com - fred [25/Dec/1998:17:45:35 +0000] "GET /~sret1/ HTTP/1.0" 200
     1243 "http://www.site.com/" "Mozilla/2.0 (X11; I; HP-UX A.09.05)"
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%f" "%B")
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r" %c %b "%f" "%B")
Referrer log, LOGFORMAT REFERRER
[25/Dec/1998:17:45:35] http://www.site.com/ -> /~sret1/
or http://www.site.com/ -> /~sret1/
LOGFORMAT ([%d/%M/%Y:%h:%n:%j] %f -> %*r)
LOGFORMAT (%f -> %*r)
Browser log, LOGFORMAT BROWSER
[25/Dec/1998:17:45:35] Mozilla/2.0 (X11; I; HP-UX A.09.05)
LOGFORMAT ([%d/%M/%Y:%h:%n:%j] %B)
Microsoft log, North American dates, LOGFORMAT MICROSOFT-NA
192.64.25.41, -, 12/25/98, 17:45:35, W3SVC1, HOST1, 192.16.225.10,
     30, 303, 1243, 200, 0, GET, /~sret1/, -,
LOGFORMAT (%S, %u, %m/%d/%y, %h:%n:%j, W3SVC%j, %j, %v, %j, %j, %b, %c, %j, %j, %r, %q,)
LOGFORMAT (%*S, %*u, %m/%d/%y, %h:%n:%j, %j)
Microsoft log, international dates, LOGFORMAT MICROSOFT-INT
192.64.25.41, -, 25/12/98, 17:45:35, W3SVC1, HOST1, 192.16.225.10,
     30, 303, 1243, 200, 0, GET, /~sret1/, -,
LOGFORMAT (%S, %u, %d/%m/%y, %h:%n:%j, W3SVC%j, %j, %v, %j, %j, %b, %c, %j, %j, %r, %q,)
LOGFORMAT (%*S, %*u, %d/%m/%y, %h:%n:%j, %j)
WebSite log, North American dates, LOGFORMAT WEBSITE-NA
12/25/98 17:45:35  jay.bird.com  host1  Server  fred  GET  /~sret1/
     http://www.site.com/    Mozilla/2.0 (X11; I; HP-UX A.09.05)  200  1243  2178
LOGFORMAT (%m/%d/%y %h:%n:%j\t%S\t%v\t%j\t%u\t%j\t%r\t%f\t%j\t%B\t%c\t%b\t%j)
WebSite log, international dates, LOGFORMAT WEBSITE-INT
25/12/98 17:45:35  jay.bird.com  host1  Server  fred  GET  /~sret1/
     http://www.site.com/    Mozilla/2.0 (X11; I; HP-UX A.09.05)  200  1243  2178
LOGFORMAT (%d/%m/%y %h:%n:%j\t%S\t%v\t%j\t%u\t%j\t%r\t%f\t%j\t%B\t%c\t%b\t%j)
The extended log, Netscape log and WebSTAR log don't have any built-in formats: analog constructs their formats from their header lines.

Aliases

After analog has read each logfile entry, it then applies aliases to each of the items. First, if you have a case insensitive filesystem, analog converts the filename to lower case. Usually analog assumes that Unix filesystems are case sensitive and other systems are case insensitive. You might want to override its choice, if, for example, you have transferred files from one machine to another, so as to use the convention on the original machine. You can do this by the commands
CASE INSENSITIVE
CASE SENSITIVE

Next it applies built-in aliases to each item. For example, it knows that %7E in a filename or referrer is equivalent to ~ and translates it accordingly. It also strips off the directory suffix from any filenames which have it. This suffix is normally index.html, but you can specify another one instead with a command such as

DIRSUFFIX default.htm
(You can only have one DIRSUFFIX.) There are other built-in aliases for other items: for example, hostnames are converted to lower case at this point.
After this, it applies user-specified aliases to each item. These aliases are useful if, for example, you know that two filenames correspond to the same file, or if you want to translate local hostnames to their internet equivalents. You specify aliases by commands like
FILEALIAS /football.html /soccer.html
HOSTALIAS lion lion.statslab.cam.ac.uk
There is also the special command FILEALIAS none, which cancels any other file aliases which might have been specified.

The alias commands for the other items are called BROWALIAS, REFALIAS, USERALIAS and VHOSTALIAS. Only one alias is ever applied to any item. So after

FILEALIAS /football.html /soccer.html
FILEALIAS /soccer.html /brazil.html
the file /soccer.html would get translated to /brazil.html, but /football.html would only get translated to /soccer.html and would not see the second alias.

You can also use wildcards (? and *) in alias commands. The left hand side can contain at most one *, unless the right hand side contains no *'s. If the right hand side contains a * too, then the part of the name represented by the * on the left hand side will be substituted at the position of the * on the right hand side. So, for example,

FILEALIAS /football/* /soccer/
would translate /football/rules.html to /soccer/, but
FILEALIAS /football/* /soccer/*
would translate /football/rules.html to /soccer/rules.html.
There is another set of alias commands, called output aliases. There is one of these for each of the reports, except the time reports. Instead of acting on items when the logfile is being read, they act on individual lines in the output. So for example, the command
TYPEOUTPUTALIAS .txt ".txt (Plain text files)"
would provide an explanation of that line in the file type report.

There can be some confusion between some ALIAS and OUTPUTALIAS commands. For example, what is the difference between HOSTALIAS and HOSTOUTPUTALIAS? In fact, there are several differences, resulting from the different times at which the aliases are processed. The HOSTALIAS applies to the host items, but the HOSTOUTPUTALIAS only applies to the lines in the host report. This means that the HOSTALIAS also affects the other reports which use the hosts, such as the domain report, whereas the HOSTOUTPUTALIAS only affects the host report. Also the HOSTOUTPUTALIAS applies separately to each line of the host report. This means that if two separate hosts translate to the same thing in a HOSTALIAS command, they will become one host ever after. But if one were to use the same HOSTOUTPUTALIAS commands, there would be two hosts, which would just happen to have the same name in one report.

In summary, HOSTALIAS would normally be used if a single host had two different names, so might otherwise appear to be two hosts, whereas HOSTOUTPUTALIAS would normally be used to annotate or clarify the host report.

The full list of output aliases is REQOUTPUTALIAS, REDIROUTPUTALIAS, FAILOUTPUTALIAS, TYPEOUTPUTALIAS, DIROUTPUTALIAS, HOSTOUTPUTALIAS, DOMOUTPUTALIAS, REFOUTPUTALIAS, REFSITEOUTPUTALIAS, REDIRREFOUTPUTALIAS, FAILREFOUTPUTALIAS, BROWOUTPUTALIAS, FULLBROWOUTPUTALIAS, VHOSTOUTPUTALIAS, USEROUTPUTALIAS and FAILUSEROUTPUTALIAS.

There is one known bug with OUTPUTALIAS. The report is sorted before the OUTPUTALIAS is applied. This means that if the SORTBY for the report is set to ALPHABETICAL, then the report will not be sorted correctly.


Inclusions and exclusions

After aliasing each item, analog decides whether that item is wanted or not. The whole line is only counted if all the items are wanted. Whether an item is wanted or not is determined by INCLUDE and EXCLUDE commands specified by the user. These commands can be used to exclude requests from your local users, for example, or to analyse only files in a subdirectory. For example
HOSTEXCLUDE mycomputer.myisp.com
would exclude all requests by that computer from the statistics.

The rule for determining whether an item is included or excluded is as follows. All the INCLUDE and EXCLUDE commands for that item are considered one by one in order, and the item is included or excluded according to the last command it matched. Items which don't match any of the INCLUDE or EXCLUDE commands are included if the first command was an exclusion, and excluded if the first command was an inclusion. For example, the configuration

FILEINCLUDE /~sret1/*
FILEEXCLUDE /~sret1/backgammon/*,/~sret1/analog/*
FILEINCLUDE /~sret1/backgammon/*.gif
would instruct the program to examine only my files, excluding my backgammon and analog files, but including gifs in my backgammon directory. On the other hand,
FILEEXCLUDE /~sret1/*/img/*
would analyse all files, except for images in my various directories. Note that inclusions and exclusions can contain any number of wildcards.

The full list of these commands is HOSTINCLUDE and HOSTEXCLUDE; FILEINCLUDE and FILEXCLUDE; BROWINCLUDE and BROWEXCLUDE; REFINCLUDE and REFEXCLUDE; USERINCLUDE and USEREXCLUDE; and VHOSTINCLUDE and VHOSTEXCLUDE.

Sometimes a line doesn't contain a particular sort of item, either because there is no field reserved for it on the line, or because the browser didn't send it for that request. You can include or exclude these lines by making a special blank entry in the INCLUDE or EXCLUDE command. For example,

USERINCLUDE jim
USERINCLUDE ""
would include lines from user jim and lines without any user specified.

If you get confused with all the inclusions and exclusions, remember that you can always run analog -settings to see what the options you have specified represent.


There is also one other pair of commands which belongs in this category, namely the FROM and TO commands. These specify a time period to restrict the analysis to. The simplest usage of these commands is FROM yyMMdd or FROM yyMMdd:hhmm, where yy represents the last two digits of the year (analog assumes that the year is between 1970 and 2069), MM represents the month, dd is the date, hh the hour, and mm the minute. So, for example, to analyse only requests from July 1999 to June 2000 I would use the configuration
FROM 990701
TO   000630
Alternatively, each of the components can be preceded by + or - to represent time relative to the time at which the program was invoked. In this case, the date can have more than 2 digits. This allows constructions like
FROM -01-00+01   # from tomorrow last year
TO -00-0131  # to the end of last month (OK even if last month
             # didn't have 31 days)
FROM -00-00-112
TO   -00-00-01  # statistics for the last 16 weeks
FROM -00-00-00:-06+01  # statistics for the last 6 hours
There are command line abbreviations +F and +T for the FROM and TO commands; for example, +T-00-00-01:1800 looks at statistics until 6pm yesterday. -F and -T turn off the from and to, as do FROM OFF and TO OFF.
There are also INCLUDE and EXCLUDE commands for most of the reports. These exclude individual lines from particular reports. So, for example, the command
REFREPEXCLUDE http://your.site.com/*
would exclude your internal referrers from the Referrer Report. However, it would not exclude them from the Failed Referrer Report, the Referring Site Report, etc. (you need to use FAILREFEXCLUDE, REFSITEEXCLUDE etc. for that); nor would it prevent other analysis of logfile lines with those referrers, as REFEXCLUDE would. Also REFREPEXCLUDE would include the referrers in the "not listed" line at the bottom of the report.

The full list of these commands is REQINCLUDE and REQEXCLUDE; REDIRINCLUDE and REDIREXCLUDE; FAILINCLUDE and FAILEXCLUDE; TYPEINCLUDE and TYPEEXCLUDE; DIRINCLUDE and DIREXCLUDE; HOSTREPINCLUDE and HOSTREPEXCLUDE; DOMINCLUDE and DOMEXCLUDE; REFREPINCLUDE and REFREPEXCLUDE; REFSITEINCLUDE and REFSITEEXCLUDE; REDIRREFINCLUDE and REDIRREFEXCLUDE; FAILREFINCLUDE and FAILREFEXCLUDE; BROWSUMINCLUDE and BROWSUMEXCLUDE; FULLBROWINCLUDE and FULLBROWEXCLUDE; VHOSTREPINCLUDE and VHOSTREPEXCLUDE; USERREPINCLUDE and USERREPEXCLUDE; and FAILUSERINCLUDE and FAILUSEREXCLUDE. The inclusion or exclusion applies to the unaliased name, if you are doing any output aliases.

You can also use the symbolic word pages in suitable INCLUDE and EXCLUDE commands; one very common command is

REQINCLUDE pages
to include only pages in the request report.
Analog determines which files should count as pages (and thus which requests count as page requests) using another INCLUDE/EXCLUDE pair, called PAGEINCLUDE and PAGEEXCLUDE. By default, *.html, *.htm and directories (*/) count as pages. But you change the list by commands like
PAGEINCLUDE *.ps,*.ps.gz
PAGEEXCLUDE sret1.html
(I.e., Postscript and gzipped Postscript are pages, but sret1.html isn't).
There are a couple more INCLUDE and EXCLUDE commands which I'll mention now while we're on the subject. In the Request Report and the three referrer reports (Referrer Report, Redirected Referrer Report and Failed Referrer Report), analog can link to the files which it's listing. There are commands LINKINCLUDE and LINKEXCLUDE for the Request Report, and REFLINKINCLUDE and REFLINKEXCLUDE for the referrer reports, to specify exactly which files are linked to. So, for example, REFLINKINCLUDE pages would link to pages in the three referrer reports.

Finally, there are commands called ARGSINCLUDE and ARGSEXCLUDE, and REFARGSINCLUDE and REFARGSEXCLUDE. Sometimes a URL contains arguments after a question mark. For example, the URL

/cgi-bin/script.pl?x=1&y=2
runs the /cgi-bin/script.pl program with arguments x=1 and y=2. (Sometimes the server records the arguments in a separate field in the logfile, but if so you can use the %q field in the LOGFORMAT command, and analog will translate the filename to the above format).

Analog can either read or ignore the arguments. If the command ARGSEXCLUDE /cgi-bin/script.pl were given, analog would ignore the arguments to that file, and so treat the above URL as being the same as /cgi-bin/script.pl. On the other hand, if ARGSINCLUDE /cgi-bin/script.pl were specified, analog would read the arguments, and treat the above URL as a different file from /cgi-bin/script.pl (or from /cgi-bin/script.pl?y=2&x=1), although a grand total for /cgi-bin/script.pl would still be listed in the Request Report.

REFARGSINCLUDE and REFARGSEXCLUDE are the same for referrers. By default, all arguments are included. The check for whether the arguments should be included happens before the filename is aliased: this means that you can't use pages in this command, because we don't know whether a file is a page until after it's been aliased.

If you want to see the arguments in a report you may also have to set the appropriate ARGSFLOOR command.


Configuring the output

So far we have mainly discussed commands which control how analog reads the logfiles. We now get on to commands for configuring the output.

There are 27 different reports which analog can produce, if your logfiles contain the necessary information. Each one has a short name, and a code letter or number, as follows:

x  GENERAL      General Summary
m  MONTHLY      Monthly Report
W  WEEKLY       Weekly Report
D  FULLDAILY    Daily Report
d  DAILY        Daily Summary
H  FULLHOURLY   Hourly Report
h  HOURLY       Hourly Summary
4  QUARTER      Quarter-Hour Report
5  FIVE         Five-Minute Report
S  HOST         Host Report
o  DOMAIN       Domain Report
r  REQUEST      Request Report
i  DIRECTORY    Directory Report
t  FILETYPE     File Type Report
z  SIZE         File Size Report
E  REDIR        Redirection Report
I  FAILURE      Failure Report
f  REFERRER     Referrer Report
s  REFSITE      Referring Site Report
k  REDIRREF     Redirected Referrer Report
K  FAILREF      Failed Referrer Report
B  FULLBROWSER  Browser Report
b  BROWSER      Browser Summary
v  VHOST        Virtual Host Report
u  USER         User Report
J  FAILUSER     Failed User Report
c  STATUS       Status Code Report
For details on what the various reports mean, and a summary of the commands which control them, see the section on Analog's reports.
You can turn each report on or off with configuration commands like
FIVE OFF
REFSITE ON
or by using command line arguments like -5 and +s. You can also turn all reports except the General Summary on or off with the commands ALL ON and ALL OFF, or with the command line arguments +A and -A.

You can turn the "Go To" lines in the report off with the command

GOTOS OFF
or with the -X command line argument; again, GOTOS ON and +X turn them on again.

The figures in parentheses in the General Summary are for the last seven days: either the seven days before the TO time, or if no TO time is given, the seven days before the time of the program start. The figures for the last seven days are normally included if some, but not all, of the requests fall in those seven days; but you can turn them off by means of the command

LASTSEVEN OFF
Of course LASTSEVEN ON turns them on again.

You can change the order of the reports by means of the REPORTORDER command. You should list the code letters for all possible reports in the order you want them, like this:

REPORTORDER xcmdDhH45WriSoEItzsfKkuJvbB

You can change which file the output goes to with a command like
OUTFILE stats.htm
or with a command line argument like +Ostats.htm. If you use the filename - or stdout, the output will go to standard output, which is normally the screen, but Unix users might like to redirect it to another file or even into a pipe. You can also use an absolute path name, like
OUTFILE /usr/bin/httpd/htdocs/stats.html  # Unix
OUTFILE "Hard Disk:Server Apps:WebSTAR:Analog:Report.html" # Mac

Sometimes it's convenient to include the date in the name of the OUTFILE. You can do this by including the following codes in the filename.

%D  date of month
%m  month name
%M  month number
%y  two-digit year
%Y  four-digit year
%H  hour
%n  minute
%w  day of week
So for example,
OUTFILE stats%y%M.html
will produce filenames like stats9905.html. The date used is the TO date if one was specified, and otherwise the time of the start of the program.
Now we come to some very important commands. The first is the OUTPUT command, which changes the style of the output. There are three possible output styles, HTML, ASCII and COMPUTER. The first produces Web pages, the second plain text files (which you could mail to people, for example) and the third produces output suitable for reading by a computer (useful for reading into a spreadsheet, or post-processing with a graphics package, for example). There is a separate section about the Computer readable output later. As well as a command like
OUTPUT ASCII
you can also select ASCII style with the command line argument +a, and HTML with the command line argument -a. You can also specify OUTPUT NONE for no output, if you are producing a cache file.

Next, you can change the language of the output. There are two ways to do this. The usual way is to use the LANGUAGE command. For example, the command

LANGUAGE FRENCH
will give you the output in French. The available languages at the moment are CATALAN, CHINESE, CZECH, DANISH, DUTCH, ENGLISH, US-ENGLISH, FINNISH, FRENCH, GERMAN, GREEK, HUNGARIAN, ICELANDIC, ITALIAN, JAPANESE, KOREAN, LATVIAN, LITHUANIAN, NORWEGIAN (Bokmål), NYNORSK, POLISH, PORTUGUESE, BR-PORTUGUESE, ROMANIAN, RUSSIAN, SERBOCROATIAN, SLOVAK, SLOVENE, SPANISH, SWEDISH and TURKISH.

The other way is to use the LANGFILE command. This is useful if you want to download a new language from the analog home page, or if you want to translate one yourself, or even if you want to change some words or phrases or the way the dates and times are formatted in the output. The LANGFILE command tells analog in which file to find the various words and phrases for a new language. For example, the command

LANGFILE lang/guarani.lng
would read from that file. (Note that you have to include the directory name if the file isn't in the directory or folder which you're running analog from. In particular, it's not assumed to be in the same directory as the other language files.)

Some languages also have domains files available. These are normally selected automatically by the LANGUAGE command. But you can tell analog to use a different domains file with the DOMAINSFILE command. Also, some languages have translations of the form interface.

If you want to translate another language, I would be delighted! You'd be wise to contact me first to make sure that no-one else is already translating the same language. The English language file contains some brief instructions for translating new languages.


Sometimes your server is not in the same timezone as you, or at least records the times in its logfiles in a different timezone (for example GMT). So that you can get your statistics in your local time, there is a command called LOGTIMEOFFSET to change the time by a certain number of minutes. As with the LOGFORMAT command, this only affects logfiles which come later in the same configuration file.

You have to be careful using this command. Because of daylight savings time in operation in different parts of the world at different times, analog cannot attempt to convert between different timezones. So it's your responsibility to set the right offset for different times of year. For example, if you were in Chicago, but your server was recording time in GMT, you would need to specify two different time offsets, one of minus five hours for summer and one of minus six hours for winter. You would need to split your logfiles in the right places and then run commands like

LOGTIMEOFFSET -300
LOGFILE summer*.log
LOGTIMEOFFSET -360
LOGFILE winter*.log

There is also a related command called TIMEOFFSET. This tells analog how much to offset the time of the computer on which it is running (rather than the computer running the server), to get your local time.


There is a command called NOROBOTS which stops robots which obey the robots META tag from indexing your output page or following its links. Normally this is set to ON but you can specify NOROBOTS OFF if you don't mind robots finding your other pages this way. Note that you will stop far more robots if you put your stats page in your robots.txt file; on the other hand, this file has to be kept up to date by the server administrator.
There are a few more minor, although cosmetically important, commands affecting the output. First there's a command IMAGEDIR which tells analog where the various images used to make the report live. It could be a relative or an absolute URL: for example
IMAGEDIR img/   # within the same directory as the output
IMAGEDIR /img/  # off the root directory of your server

There are three commands which affect the top line of the output. First, the LOGO command allows you to replace the analog logo with another image (for example, your organisation's logo). You can say

LOGO picture.gif  # for this file
LOGO /images/picture2.gif  # a different file
LOGO none         # for no logo
The logo is assumed to be inside the IMAGEDIR unless it starts with a slash, or contains ://

Then there are commands HOSTNAME and HOSTURL which affect the name and link at the end of the title line. For example, I might specify

HOSTNAME "Stephen Turner"
HOSTURL  http://www.statslab.cam.ac.uk/~sret1/
to generate the title "Web Server Statistics for Stephen Turner". Again, you can use none as the HOSTURL to specify no link. Analog will normally translate characters in the hostname to HTML if necessary. So to include literal HTML, such as accented characters, in the output you need to precede them by a backslash, like this:
HOSTNAME "M\&uuml;ller & S\&ouml;hne"

There are commands called HEADERFILE and FOOTERFILE. These let you specify files to be inserted near the top and bottom of your output. You can specify

HEADERFILE none
to cancel a previously-specified header file.

There are three related commands called SEPCHAR, REPSEPCHAR and DECPOINT. These specify single characters to be used as the thousands separator in numbers, the thousands separator within the columns in the reports, and the decimal point. For example, a French user might choose

SEPCHAR " "
REPSEPCHAR none
DECPOINT ,
to make "three thousand and a quarter" look like "3 000,25" in text and "3000,25" in the reports.

There is a command called RAWBYTES. Specify RAWBYTES ON if you want the exact number of bytes to be listed in reports, or RAWBYTES OFF if you want the number of kilobytes or Megabytes as appropriate to be listed instead.

Finally there is a command called PAGEWIDTH which specifies the width of the page. The output is not guaranteed to fit in this width, but analog will take notice of it when choosing the width of the time graphs, and when sorting the host report alphabetically; and if the output format is ASCII, when drawing horizontal rules and printing some bits of text. I recommend about PAGEWIDTH 65 for HTML output, and PAGEWIDTH 75 for ASCII output.


There are now some sections about configuring the output of particular reports, under the following headings: Time reports, Other reports and Hierarchical reports.

Time reports

This section is about commands which control the appearance of the time reports. There are eight such reports, which show the pattern of usage over time. Six of them show the usage at specific times, whilst the Hourly Summary and the Daily Summary show the total (not average) activity at particular times of day and week over the whole time period of the report.

Each time report can contain columns listing the requests, requests for pages, and bytes transferred at that time, using the following code letters.

R
Number of requests
r
Percentage of the requests
P
Number of page requests
p
Percentage of the page requests
B
Number of bytes transferred
b
Percentage of the bytes
Which columns appear in which reports is controlled by various COLS commands. For example, the command
HOURCOLS Pb
tells analog to include the number of page requests and percentage of the bytes, in that order, as the columns for the Hourly Summary. The other COLS commands are MONTHCOLS, WEEKCOLS, DAYCOLS (Daily Summary), FULLDAYCOLS (Daily Report), FULLHOURCOLS (Hourly Report), QUARTERCOLS and FIVECOLS. There is also a TIMECOLS command, which specifies that all the time reports are to have the specified columns.
Similarly, analog can plot the bar charts in the time reports according to the number of requests, number of page requests, or number of bytes. This is controlled by the GRAPH family of commands. So, for example,
FULLDAYGRAPH P
tells analog to plot the bar charts in the Daily Report by the number of page requests. This also controls how analog decides which is the busiest time period in the bottom line of the report. Using a lower case letter tells analog to plot the bar charts with ASCII characters instead of the normal red bars. (This produces shorter output, and it is how they appear anyway in ASCII output style, or when viewed with a non-graphical browser.) So, for example,
FULLDAYGRAPH b
would plot the Daily Report by bytes, without using the graphics. The other GRAPH commands are MONTHGRAPH, WEEKGRAPH, DAYGRAPH, HOURGRAPH, FULLHOURGRAPH, QUARTERGRAPH and FIVEGRAPH. There's also an ALLGRAPH command to set all of them simultaneously.
There are various possible graphics available for the graphs, controlled by the BARSTYLE command, as follows. (They will all look the same if you have a non-graphical browser.)

BARSTYLE a  +++++++++++
BARSTYLE b  +++++++++++
BARSTYLE c  +++++++++++
BARSTYLE d  +++++++++++
BARSTYLE e  +++++++++++
BARSTYLE f  +++++++++++
BARSTYLE g  +++++++++++
BARSTYLE h  +++++++++++
The default style is b.
You can plot the graphs either forwards in time (starting from the earliest date) or backwards (starting from the latest date). Use commands like
MONTHBACK ON  # Monthly Report backwards
WEEKBACK OFF  # Weekly Report forwards
The other BACK commands are FULLDAYBACK, FULLHOURBACK, QUARTERBACK and FIVEBACK. It tends to be confusing to mix directions (and analog will warn you if you attempt it) so usually you want to use the ALLBACK command which will set all of them at once.
For the more detailed time reports, you usually only want to list the last few time periods. (Every five minutes for the last three years?? I think not.) So analog provides some ROWS commands to let you specify how many rows you want in the time reports. For example
QUARTERROWS 96  # only the last day's worth
MONTHROWS 0 # 0 means no restriction: show all time
The other ROWS commands are WEEKROWS, FULLDAYROWS, FULLHOURROWS and FIVEROWS. Even if a ROWS command is given, the line at the bottom of the report will still show the busiest time period ever, not just the busiest one in that many rows.
The character which is used for plotting the graphs in ASCII style or on a non-graphical browser is specified by means of the MARKCHAR command. For example,
MARKCHAR =
tells analog to use the equals sign.

There is a parameter called MINGRAPHWIDTH which sets the minimum nominal size of the graphs. For example, if you set

MINGRAPHWIDTH 10
then the graph will be allowed to be up to 10 characters wide, even if that would exceed the PAGEWIDTH.

There is one more command which affects the time reports. You can specify which day should be counted as the first day of the week. This affects the layout of the Daily Report, Daily Summary and Weekly Report. For example, our local student newspaper publishes a new edition on the web every Friday, so they like to specify WEEKBEGINSON FRIDAY for their reports.

In the next section, we'll look at commands relating to the non-time reports.


Other reports

This section deals with the non-time reports. There are quite a lot of commands which control these reports, although we've seen some of them already.

First, these reports have COLS commands, just like the time reports. (See the section on Time reports for how to use these commands.) In the non-time reports, one additional column is possible, namely D for date of last access. So, for example,

REQCOLS RD
lists the number of requests for each file in the Request Report, and the time when that file was last requested. The full list of COLS commands for non-time reports is HOSTCOLS, DOMCOLS, REQCOLS, DIRCOLS, TYPECOLS, SIZECOLS, REDIRCOLS, FAILCOLS, REFCOLS, REFSITECOLS, REDIRREFCOLS, FAILREFCOLS, FULLBROWCOLS (Browser Report), BROWCOLS (Browser Summary), VHOSTCOLS, USERCOLS, FAILUSERCOLS and STATUSCOLS. Not every column is allowed in every report, but if you specify an illegal one, analog will warn you about it.
Next you need to know how use a SORTBY command to specify how the reports should be sorted. There are six possible ways of sorting reports: REQUESTS, PAGES (i.e., page requests), BYTES, DATE, ALPHABETICAL and RANDOM (no sorting, sometimes useful for speed in very long reports). For example, the command
HOSTSORTBY ALPHABETICAL
will sort the Host Report alphabetically. The other SORTBY commands are DOMSORTBY, REQSORTBY, DIRSORTBY, TYPESORTBY, REDIRSORTBY, FAILSORTBY, REFSORTBY, REFSITESORTBY, REDIRREFSORTBY, FAILREFSORTBY, FULLBROWSORTBY, BROWSORTBY, VHOSTSORTBY, USERSORTBY, FAILUSERSORTBY and STATUSSORTBY. Again, not every sort method is possible in every report, but you'll be warned if you choose an illegal one.

There is one known bug concerned with SORTBY ALPHABETICAL. The report is sorted before any OUTPUTALIAS is applied. This means that if an OUTPUTALIAS has been specified for the report, then the report will not be sorted correctly.


You can also specify a FLOOR for most reports, saying how much activity an item needs before it is listed on the report. There are lots of possible ways of specifying floors, which I'll list here, using the DOMFLOOR (Domain Report FLOOR) command as an example. Essentially each one consists of a number indicating the level of the floor, followed by a letter indicating the floor criterion.
DOMFLOOR 1000r       # all domains with at least 1000 requests
DOMFLOOR 1000p       # at least 1000 requests for pages
DOMFLOOR 1000000b    # at least 1,000,000 bytes transferred
DOMFLOOR 1Mb         # at least 1 megabyte
DOMFLOOR 0.5%r       # 0.5% of the requests (ditto %p and %b)
DOMFLOOR 0.5:r       # 0.5% of the maximum number of requests
                     # for any domain (ditto :p and :b)
DOMFLOOR 970701d     # last access since 1st July 1997
DOMFLOOR -00-01-00d  # last access in last month (see
                     # documentation on FROM and TO commands)
DOMFLOOR -100r       # domains with top 100 number of requests
                     # (ditto -100p, -100b, -100d)
The other FLOOR commands are HOSTFLOOR, REQFLOOR, DIRFLOOR, TYPEFLOOR, REDIRFLOOR, FAILFLOOR, REFFLOOR, REFSITEFLOOR, REDIRREFFLOOR, FAILREFFLOOR, FULLBROWFLOOR, BROWFLOOR, VHOSTFLOOR, USERFLOOR, FAILUSERFLOOR, STATUSFLOOR. Once again, not every floor method is legal for every report, but you'll be warned if you try and choose an illegal one.
I've already told you about how to turn each report on and off from the command line using its code letter. In fact, you can specify the SORTBY and the FLOOR in the same command. Take the example of the Referrer Report. If you follow the +f (to turn the report on) with a letter, it represents the sort method according to the following code:
r
REQUESTS
p
PAGES
b
BYTES
d
DATE
a
ALPHABETICAL
x
RANDOM
You can then, or alternatively, use one of the above FLOOR formats to specify the floor. If you specify a SORTBY, you can also leave off the last letter of the floor, and analog will guess it according to the sort method: the floor will be by pages or bytes if that is the sort method, and otherwise by requests. Here are four examples:
+fp
means turn the referrer report on and sort it by page requests, but says nothing about the floor;
+f100r
means list all referrers with at least 100 requests, but says nothing about the sort method;
+fb10000
means list all referrers with at least 10,000 bytes, sorted by bytes;
+fa-000101d
means list all referrers with accesses this year, sorted alphabetically.

We've already seen some other commands affecting what was listed in the non-time reports. The output INCLUDE and EXCLUDE commands specified lines to omit from each report, and the OUTPUTALIAS commands specified some aliasing to do on the names before they were listed. There were also LINKINCLUDE and LINKEXCLUDE, and REFLINKINCLUDE and REFLINKEXCLUDE commands to control what was linked to in the Request Report and the three referrer reports. You might want to have another look at these paragraphs.

There's one other command which affects the links in the Request Report. The command BASEURL prepends an additional string to the URLs in the target of the link. For example, after the command

BASEURL http://www.statslab.cam.ac.uk
/~sret1/ will be linked to http://www.statslab.cam.ac.uk/~sret1/, not just to /~sret1/. This is very useful if you want to display the statistics on a different server from the server they refer to. If you want the file to be listed as http://www.statslab.cam.ac.uk/~sret1/, rather than just to be linked to that address, you need to use the second argument to the LOGFILE command instead.

In the next section, we'll look at commands for generating hierarchical reports, which are closely related to the commands in this section.


Hierarchical reports

Some of the non-time reports have a hierarchical (or tree) structure: so, for example, each domain in the domain report can have subdomains listed under it, which in turn can have sub-subdomains, and so on. This section describes commands for managing hierarchical reports.

First, you need to be able to control what gets listed in the reports. For this you need to use the SUB family of commands. So, for example, the command SUBDIR /~sret1/* would ensure that the Directory Report would not only contain an entry for the sum of my files, but also one for each of my subdirectories, something like this:

29,111: /~sret1/
10,234:   /~sret1/analog/
 5,179:   /~sret1/backgammon/
11,908: /~steve/

If you specify a SUB command, all the intermediate levels are included automatically. So, for example, after

SUBDOMAIN statslab.cam.ac.uk
cam.ac.uk and ac.uk will be included in the Domain Report too, and after *.*.ac.uk, *.ac.uk will be included.

Here are examples of the other three SUB commands:

SUBTYPE *.gz      # in the File Type Report
SUBBROW Mozilla/*  # in the Browser Summary
REFDIR http://search.yahoo.com/*   # Referring Site Report

The SUBDOMAIN report (but none of the others) can included a second argument describing the subdomain. For example

SUBDOMAIN cam.ac.uk 'University of Cambridge'
Then that subdomain will be listed with its translation in the Domain Report. You can also have numerical subdomains: e.g.,
SUBDOMAIN 131.111 'University of Cambridge'
If you sort the subdomains alphabetically, the numerical ones will also be sorted alphabetically, not numerically. I don't think this will cause any problems.

One other use for the SUBDIR command is if you have used the second argument to the LOGFILE command. Suppose you have translated files like /index.html into http://www.mycompany.com/index.html. Then the command

SUBDIR http://www.mycompany.com/*
would be appropriate to make the directory report look right.
The lower levels of each report have FLOOR and SORTBY commands which work exactly the same as those we have already seen for the top level. These commands are SUBDIRFLOOR, SUBDOMFLOOR, SUBTYPEFLOOR, SUBBROWFLOOR and REFDIRFLOOR; and SUBDIRSORTBY, SUBDOMSORTBY, SUBTYPESORTBY, SUBBROWSORTBY and REFDIRSORTBY.

An sub-item is listed in a hierarchical report only if it is above the sub-FLOOR, and it is included with a SUB command, and its immediate parent is listed. For example, specifying

SUBDIR /*/*/
SUBDIRFLOOR -3r
SUBDIRSORTBY REQUESTS
would list the three subdirectories with most requests under each directory. SUBDIRFLOOR 1:r would have listed any subdirectory with at least 1% of the maximum number of requests of any top level directory.

The report INCLUDE and EXCLUDE commands for a hierarchical report only apply to the top level of the report: you can use the SUB commands for the lower levels.

The three file reports (Request Report, Redirection Report and Failure Report) and the three referrer reports (Referrer Report, Redirected Referrer Report and Failed Referrer Report) are not fully hierarchical, but they do list search arguments together under the file to which they refer (provided that the arguments have been read in: see the ARGSINCLUDE command). So they have similar sub-FLOOR and sub-SORTBY commands, namely REQARGSFLOOR, REDIRARGSFLOOR, FAILARGSFLOOR, REFARGSFLOOR, REDIRREFARGSFLOOR and FAILREFARGSFLOOR; and REQARGSSORTBY, REDIRARGSSORTBY, FAILARGSSORTBY, REFARGSSORTBY, REDIRREFARGSSORTBY and FAILREFARGSSORTBY.

That concludes the description of all the output configuration commands. Now we move on to some other individual topics, starting with the domains file.


The domains file

The domains file tells analog which country is represented by each domain. You can tell analog where to find your domains file with a command like
DOMAINSFILE lang/mydomains.tab
Normally you don't need this command, because if there is a domains file in your language, it should be selected automatically. But the DOMAINSFILE command can be useful if you want to use a domains file in a new language, for example.

If you haven't got a domains file, you can download one from http://www.statslab.cam.ac.uk/~sret1/analog/ukdom.tab. It should contain each domain code followed by its location on a new line, thus:

ad   Andorra
ae   United Arab Emirates
[...]
It does not need to be in alphabetical order, though humans may prefer it that way.

If you want HTML special characters in the domains file, you have to precede them with a backslash, like this:

am   Arm\&eacute;nie

Only domains which occur in the domains file will get their own line in the Domain Report: the rest are probably spurious, and will be accumulated together as "unknown domains". If you have debugging turned on, you can see which domains were unknown.


Computer-readable output style

This section describes the computer-readable output style. You can select this style by means of the command
OUTPUT COMPUTER
This style is designed to be easy to read into spreadsheets, or post-process with graphics creation tools, for example.

Each line in the output is separated into fields by means of a special string. You can specify this string by means of the COMPSEP command; for example

COMPSEP ,
for CSV (comma separated value) format. Make sure not to use anything that might occur in the output: for example, a single or double space would not be suitable.

Each line in the preformatted output begins with a letter indicating which report the line is part of. (The code letters for the reports are listed in the section on Configuring the Output.) After that, there follows a field indicating the remaining columns in the report (using the letters RrPpBbD as usual). Then there are the numerical data and then the name of the item. Times actually take up several fields: year, month, date, hour & minute, or as many of those as are necessary to identify the time.

The first line of most reports has f instead of the normal column letters, followed by the floor for the report, in the form it would be written for a FLOOR command, followed by the SORTBY using the code letters

r
REQUESTS
p
PAGES
b
BYTES
d
DATE
a
ALPHABETICAL
x
RANDOM

The general summary is a bit different. After an initial x, there is a two-character code saying what the line contains. The possible codes are

VE
Version of analog
HN
HOSTNAME
HU
HOSTURL
PS
Program start time
FR
Time of first request
LR
Time of last request
E7
Time last 7 days ends
SR
Total successful requests
S7
Total successful requests in last 7 days
PR
Total successful requests for pages
P7
Total successful requests for pages in last 7 days
FL
Total failed requests
F7
Total failed requests in last 7 days
RR
Total redirected requests
R7
Total redirected requests in last 7 days
NC
Logfile lines without status code
C7
Lines without status code in last 7 days
NF
Number of distinct files requested
N7
Number of distinct files requested in last 7 days
NH
Number of distinct hosts served
H7
Number of distinct hosts served in last 7 days
CL
Number of corrupt lines in the logfile
UL
Number of unwanted lines in the logfile
BT
Total number of bytes transferred
B7
Total number of bytes transferred in last 7 days

Cache files

Analog has the ability to archive some of the data in your logfile into a cache file so that the logfile can be thrown away without losing the most important data.

For most people, the cache file will not be needed: compressing the logfile using a standard compression utility such as gzip will be sufficient. Compressing a logfile is very efficient owing to the large number of repeated strings: I find about 12 times compression in practice. That in itself may solve your filespace problems, without needing to throw away any information.

The cache file is not the best format for post-processing the data or feeding it into a spreadsheet. For that you should use the computer readable output style.

If you are going to use the cache file feature, it is very important that you understand what is and what is not recorded. It is not possible to reconstruct everything of interest in the logfile from the cache file. The cache file does contain information about the total number of requests for each host and each file, but not about, for example, which files were read by which hosts. (To do so would take up as much disk space as the compressed logfile.) So you cannot later look at only one file and see which hosts read that file. Similarly, you cannot later restrict the files or hosts by date, using FROM and TO commands.

In summary, you should do all the inclusions and exclusions you want when you create the cache file. If you want different sets of inclusions and exclusions, you should create several cache files from the same logfile. You cannot later apply extra inclusions and exclusions accurately.

A couple of other minor points: the pattern of failed requests and redirected requests over time is not recorded in the cache file. So although the total number will still be correct, the number in the last 7 days can be under-reported subsequently. And times are only recorded to five-minute resolution.


You can create a cache file by setting the CACHEOUTFILE to be the file you want the cache to live in. Set
CACHEOUTFILE none
to turn it off again. You will still get the regular output as well as the cache output, unless you request OUTPUT NONE. To avoid overwriting, you cannot set the CACHEOUTFILE to be a file which already exists. (Disclaimer: on some systems, race conditions may very occasionally thwart this check. Also on a few systems, making the file writeable but not readable will allow it to be overwritten). You can include the date in the name of the CACHEOUTFILE in the same way as described earlier for the OUTFILE.

You can read in a previously-made cache file with the CACHEFILE command, or with the +U command line option. As with the LOGFILE command, you can use commas and wild cards to read in several cache files, and read compressed cache files using the UNCOMPRESS mechanism. Note that if you don't want to read a logfile as well as the cache file, you will have to explicitly set the LOGFILE to none.

When analog reads in a cache file, it will respect inclusions and exclusions as far as it can, but it does not apply any more aliases to the items. (This is to avoid double-aliasing.) So you must do any aliases you want at the time you create the cache file. Similarly, it does not obey the LOGTIMEOFFSET variable, to avoid double-offsetting, so any offset you want must be applied at cache-creation time too.

Sometimes you don't want to record all the types of item in the cache file. You might want to forget about which hosts had accessed your web site, for example, and only remember how many times each file was requested. You can choose not to include one type of item in the cache file by setting its LOWMEM to 3; for example, specify

HOSTLOWMEM 3
to exclude hosts from the cache file. Because this is a serious step, analog will produce a warning if you do this. You can even set all six LOWMEMs to 3 if you just want to remember the pattern of requests over time, not even which files were requested.
To use this feature and avoid losing entries or double counting them, I suggest you follow the following procedure.
  1. Archive the old logfile, and restart the server with a fresh logfile. (See your server documentation for how to do this.)
  2. Make both a cache file and an ordinary report from the old logfile.
  3. Make a report from the cache file and compare it against the report from the logfile to check it works. (This step really is worth doing!)
Now you can throw away the old logfile, if you've really understood what data you're losing by doing so. (But please remember that I can take no responsibility if something goes wrong: see the licence.)

I prefer to make a separate cache file from each logfile, in case something goes wrong with one of them, rather than a single cache file combining several logfiles, or a single cache file combining an old cache file and a logfile.


DNS lookups

Sometimes a logfile contains numerical IP addresses - like 131.111.20.59 - for the computers that have visited you, instead of names like lion.statslab.cam.ac.uk. This section describes how you can get analog to do so-called DNS lookups to translate these numbers into names. This relies on you having a suitably configured system: DNS lookups are not possible on some systems.

Unfortunately DNS lookups are typically very slow, because your computer has to ask across the network to find out the names of the hosts. For this reason, analog saves the addresses it has looked up in a file, so that you don't have to look them up again next time. (Even so, you may find the DNS lookups too slow to be usable.) The file is specified by a command like

DNSFILE dnsfile.txt
You will still need to use one of the commands in the next paragraph in order to actually use the file.

There are four possible levels of DNS activity. If you specify DNS NONE, no numerical addresses will be resolved. If you specify DNS READ, then analog will read the DNS file for old lookups, but no new lookups will take place. This mode is suitable if you are running analog while not connected to the internet. The third level is DNS WRITE. This reads the old file, looks up new addresses, and adds them to the file. (The first time you use DNS WRITE, you will get a missing-file warning as it tries to read the old file, but it will exist the next time.) The final level is DNS LOOKUP. This reads the old file and looks up new addresses, but doesn't add the new addresses to the file, so that they will not be remembered for next time. This is not normally a level that the user wants to specify, but analog will switch to this the behaviour if DNS WRITE fails for some reason.

If you are using a HOSTEXCLUDE command, you need to exclude the numerical IP address if it can't be resolved, or the name if it can. In other words, exclude whatever the host is known as in the report.


If two copies of analog were allowed to write to the DNS file at the same time, the file could become corrupted. So when analog is running in DNS WRITE mode, it creates a lock file which tells other copies of analog to back off to DNS LOOKUP. You can change the location of that file with the command
DNSLOCKFILE filename
Of course you should make sure that all copies of analog use the same lock file, at least if they have the same DNS file! If analog crashes, it may not clear up the lock file, so in that case you may have to delete it yourself. (Disclaimer: on some systems, race conditions may occasionally thwart this mechanism, but this is very unlikely.)

Analog never deletes anything from the DNS file: this means that the DNS file will grow, and can become quite large. You should delete the top of it every so often.

There are two parameters which say how long to trust old lookups for. If you set

DNSGOODHOURS 672
for example, then successful lookups will be checked again after 672 hours (4 weeks). You can also set the DNSBADHOURS similarly, to check failed lookups again after a certain time.

Finally, there is a debugging command, DEBUG +D to show all the DNS lookups that analog is making.


There are lots of tools to help with the DNS lookups on the helper applications page.
Normally you need never write a DNS file: you should rely on analog to do it for you. But in case you need to know, the format of the file is
timestamp IP_address name
where the timestamp is the number of minutes since midnight on 30-31/Dec/1969 (yes, I know this was the wrong choice), and the name is just * if the address couldn't be resolved.

Coping with low memory

This section describes how to run analog with lower amounts of memory. For a normal logfile this will make analog run a bit slower. But if your computer is running out of memory when running analog, it will go very slowly indeed: so for large logfiles, this can make analog run much faster, or even make an analysis possible that wouldn't otherwise be possible.

Recall what happens to an item when it has been read in. First it is aliased. Secondly, it is checked to see whether it is included or excluded. Then finally, if all the items are wanted, one request is added to its score.

Normally the name of the item is saved before the aliasing takes place. This avoids analog having to do the aliasing again next time the same item is encountered. But this can take up more memory than necessary. So there is a family of LOWMEM commands provided, which tell analog to record the name at a later stage, or even not at all. If you use these commands, analog will have to do a bit more work than normal, but it will use less memory. On most sites, the hosts take up most of the memory, so I'll use the HOSTLOWMEM command as an example.

The command

HOSTLOWMEM 0
represents the normal case, when the hostname is recorded before being aliased. If you specify
HOSTLOWMEM 1
instead, then the hostname is not recorded until after the aliasing. If you specify
HOSTLOWMEM 2
then the name is not recorded until after the inclusion and exclusion lookup has been done as well. And finally, if you give the command
HOSTLOWMEM 3
then the hostname is not saved at all, and the Host Report will not be constructed, even if you've asked for it. (The Domain Report can still be constructed though.) The analogous commands for the other items are FILELOWMEM, BROWLOWMEM, REFLOWMEM, USERLOWMEM and VHOSTLOWMEM.
So what should you do if analog runs out of memory? First, look in your logfile to see which items are taking up all the memory. If you have lots of different filenames, ones you generate on the fly for example, you would want to use the FILELOWMEM commands. Maybe you could combine all the similar filenames into one with a FILEALIAS command, and use FILELOWMEM 1. (If you have lots of different filenames caused by different search arguments, then using ARGSEXCLUDE might solve your problem without any need to use LOWMEM at all). But for most users, it is the hostnames which cause the problem. If you only want to analyse requests from certain hosts, then you could use HOSTLOWMEM 2 to exclude the others before recording those that are left. If you don't want to exclude any hosts, and you haven't got enough memory to record all the different hostnames, then HOSTLOWMEM 3 would be appropriate.

Debugging

This section lists commands to help you debug analog, if you think it's going wrong. There's another section later which lists all the errors and warnings which analog can generate, and what they all mean, and another section which tells you how to report bugs.

First, remember the option we mentioned before, to list the current settings of all of analog's variables. To get this, just put -settings on the command line, or PRINTVARS ON in one of your configuration files, along with your other commands. Then analog will produce the list of settings instead of running in the normal way.


There are commands which control how much debugging information and warning information analog gives out while it is running. By default you get all the warnings and no debugging, but you can change this by means of the commands DEBUG and WARNINGS. If you say
DEBUG ON
you get all the debugging. (And DEBUG OFF turns it all off.) You can also get just certain categories of debugging. The categories are
C
list all corrupt logfile lines
D
information about DNS lookups
F
information about file opening and closing
S
summary information about each logfile when it's closed
U
list unknown domains
V
list hosts without a domain (i.e., without a dot)
So, for example, the command
DEBUG FS
would give you information about file opening and closing, and what was in each logfile, but none of the other sorts of debugging. Each line of debugging information is prepended with its code letter. You can also specify
DEBUG +CD
to add C- and D-category debugging, and
DEBUG -CD
to remove them.

The WARNINGS command acts similarly. As well as WARNINGS ON and WARNINGS OFF, there are warnings in the following categories.

C
invalid configuration specified
D
dubious configuration specified
E
ERRFILE command used (see below)
F
files missing
L
apparent problems in logfiles
M
possibly problems in logfiles
R
turning off empty reports
See the section on Errors and warnings for more details about these various categories. Again, warnings are printed with their code letters.

You can also use command line abbreviations for these commands. The DEBUG command is represented by +V (for ON), -V (for OFF), +VFS (to select options FS), +V+FS (to add those options), and +V-FS (to remove them). Similarly the WARNINGS command can be given by +q, -q, +q<options>, +q+<options> or +q-<options>.


There is one more command which is useful when trying to debug analog. If you give the command
PROGRESSFREQ 20000  # say
then analog will produce a little message after every 20,000 lines it reads from the logfile. This is useful to determine whether the program has really stopped or (as is more likely) is just being slow for some reason (such as using DNS lookups).
To start with, all these messages go to standard error, which is normally just the screen. But you can change that by means of a command like
ERRFILE newfile
If you do this, analog will warn you that it's redirecting the messages, just so that you don't miss any. To change back to standard error, use
ERRFILE stderr
The ERRFILE command will erase any previous contents of that file. (So don't use the same ERRFILE command twice, or you may lose messages!)
There is just one more section about analog's configuration commands and command line arguments, but it's a rather long one, on the form interface. (This is a way of running analog by selecting options from a web page.) You might prefer to go straight onto the section on What the results mean.

Form interface and CGI program

The form interface provides an HTML front end to analog. That means that users can select options from a web page, instead of having to create a configuration file.

The form interface is suitable for ordinary users to use, but it needs to be set up by a system administrator or other expert. In order to set it up, you have to be running a web server. You need to know what CGI programs are, where they live on your server, and how to set up their permissions properly. And you need to know how to write HTML forms. I shall assume this level of background knowledge for the rest of this section. Also, I shall assume that analog has already been set up and is running properly on its own.

Warning: CGI programs can contain security loopholes which allow an unscrupulous user to harm your system. (If you don't know about this, you shouldn't be running CGI programs at all. Read and understand the World Wide Web Security FAQ first.) I have tried to make this form interface safe, but I cannot guarantee it, and I take no responsibility if anything goes wrong. You use it at your own risk. (See the licence.) Furthermore, you should be aware that unless you take special measures like password protection, setting up the form interface implies making analog executable, and your logfiles analysable, by anyone on the internet.

The form interface consists of two parts: a form to choose the options, and a cgi program to interpret them and pass them to the analog program. You don't in fact need the form at all: if you want to create a link to the cgi program, with the arguments passed in the URL in the usual way, then that's fine.

On Unix, to compile the cgi program, you must first edit the top of anlgform.c to indicate where analog lives on your system. Then type make form, which should compile this source into a program called anlgform.cgi.

On Windows, the cgi program is compiled already, and called anlgform.exe. It assumes that analog is at \analog\analog.exe (on the same drive as anlgform.exe), so you must put a copy of analog there.

There is a form called anlgform.html distributed with the program. You can also find forms in languages other than English in the lang directory. Before you use the form, you must uncomment and edit the action at the top to indicate where anlgform.cgi (or anlgform.exe on Windows) lives on your server. There are other instructions at the top of the form which you must read and do before the form will work.

The form which is distributed with the program should only be regarded as an example form. Almost every configuration command has a counterpart in the CGI program, and so you can add to the form options to do almost anything you want. (The main exceptions are aliases, which are too complicated, and HEADERFILE, FOOTERFILE and LOGFORMAT, which would allow people to view any file on your system.) I shall give the full list in a minute. But as an example, if you have a form element with name="lo", then its argument will be passed to a LOGFILE command, so you can allow your users to select a logfile in this way.

(It is theoretically possible, though I think very unlikely, that another file on your system could conform sufficiently closely to one of the predefined log formats that analog could be persuaded to analyse it and so reveal some of its contents. If you're worried about this, or even if you want to force only one particular logfile to be analysed from the form, you can put a LOGFILE command in your mandatory configuration file. This will override earlier LOGFILE commands, and thus make analog ignore any logfiles specified on the form. This trick is only possible on Windows if you compile your own version of analog.)

You can specify other configuration files to be included. When analog is called by the CGI program, it first processes the default configuration file as usual. Then it processes any configuration file specified by an argument with name cg. Then it processes all the other arguments which the CGI program specifies. After that, it processes any configuration file specified by an argument with name cm. Finally, it processes the mandatory configuration file as usual. You may therefore want two copies of analog, one for form use and one for non-form use, with different configuration files compiled in. Note that the commands in the default and mandatory configuration files will contribute to the configuration: some of them may even override options specified on the form.

If the option qv=1 is sent to the CGI program, then analog is not run, but a list of the configuration commands which would have been sent to analog is printed instead. This is useful for checking that the CGI program is working properly. It can also be used for using the form to produce a configuration file.

Troubleshooting

There are lots of reasons why the form interface may not work, and I can't diagnose them very easily. If it doesn't work, first check the following points:
  1. Do other CGI programs work on your server?
  2. Look in the server's error log for clues.
  3. Are all relevant files (analog itself, logfiles, configuration files etc.) readable by your web server?
  4. Include qv=1 in the arguments as explained above. If this works, then at least the CGI program is working.
  5. Try running the cgi program from the shell. Set the environment variable QUERY_STRING to equal "xq=1", and run anlgform.cgi directly.
  6. If some form options don't seem to take effect, then check whether they are being overridden by a command in a configuration file.
  7. If you get a long wait, then no data returned, the server is probably timing out the request before analog has finished. The remedy is to increase the timeout interval.
  8. There is one DNS issue which confuses people. The form always sets either DNS READ (if a DNS file is set on the form) or DNS NONE (otherwise). This may override what you have set somewhere else. You can override this behaviour in the mandatory configuration file, but you are likely to run into timeout problems if you do.

Here is the complete list of options which can be added to the form and will be interpreted by the CGI program. Each has a two letter name. Values are the same as for the corresponding configuration command except where stated.

Time reports

The first letter is the standard code letter for the report, except that the Quarter-Hour Report is q and the Five-Minute Report is p. The second letter is as follows. If the first letter is lower case, read the column marked lc; if it is upper case, read uc. So, for example, FIVECOLS is pc, but WEEKCOLS is Wd.
        lc   uc    value
ON/OFF   q    p    1 for on, 0 for off
GRAPH    g    h
ROWS     r    s
COLS     c    d

Other reports

Again, the first letter is the code letter for the report. The second letter is
                lc   uc    value
ON/OFF           q    p    1 for on, 0 for off
FLOOR            f    g    Excluding floor method
Floor method     h    i    r, p, b or d
SORTBY           s    t    0 for requests, 1 for pages, 2 for bytes,
                           3 for date, 4 for alphabetical, 5 for random
SUB              j         (Where applicable)
SUBFLOOR         w    x    As above
Subfloor method  y    z    As above
SUBSORTBY        u    v    As above
COLS             c    d
Report INCLUDE   l    m
Report EXCLUDE   n    o

Items

First letter as follows:
Browser       b
Referrer      f
File          r
Host          s
User          u
Virtual host  v
Second letter:
LOWMEM    k
INCLUDE   x
EXCLUDE   z

Miscellaneous

Command        Code    Value/Notes

ALLBACK        ab      1 for on, 0 for off
BASEURL        ba
CASE           ca      1 for sensitive, 0 for insensitive
CONFIGFILE     cg/cm   See above
COMPSEP        cp
               cr      Charset of language file
DNSGOODHOURS   da
DNSBADHOURS    db
DECPOINT       de
DOMFILE        df
DIRSUFFIX      di
DNSFILE        dn      Also sets DNS READ; o/wise DNS is set to NONE
FROM           fr
MINGRAPHWIDTH  gw
HOSTNAME       hn
HOSTURL        hu
IMAGEDIR       ie
LANGUAGE       la      Name of language: LANGFILE overrides
CACHEFILE      lc
LANGFILE       lf      Overrides LANGUAGE
LOGO           lg
LOGFILE        lo
LASTSEVEN      ls
LOGTIMEOFFSET  lt      For all logfiles
REFLINKINCLUDE lw
LINKINCLUDE    lx
REFLINKEXCLUDE ly
LINKEXCLUDE    lz
MARKCHAR       ma
OUTPUT         ot      0 for HTML, 1 for ASCII, 2 for COMPUTER
PAGEWIDTH      pw
PAGEINCLUDE    px
PAGEEXCLUDE    pz
               qv      Output configuration file, rather than run analog
RAWBYTES       rb
REPORTORDER    re
SEPCHAR        sa
REPSEPCHAR     sb
TIMEOFFSET     tm
TO             to
WARNINGS       wa      1 for on, 0 for off. If unspecified, get WARNINGS FL.
WEEKBEGINSON   wb      0 for Sunday, 1 for Monday, ..., 6 for Saturday
GOTOS          xp
GENERAL        xq
REFARGSINCLUDE yw
ARGSINCLUDE    yx
REFARGSEXCLUDE yy
ARGSEXCLUDE    yz

What the results mean

This section of the Readme is about understanding the results analog produces. It's divided into three subsections.

How the web works

This section is about what happens when somebody connects to your web site, and what statistics you can and can't calculate. There is a lot of confusion about this. It's not helped by statistics programs which claim to calculate things which cannot really be calculated, only estimated, with varying degrees of accuracy. The simple fact is that certain data which we would like to know and which we expect to know are simple not available.

I should say that these ideas are not new to me. In particular, I can recommend four excellent articles about this subject: Interpreting WWW Statistics by Doug Linder; Making Sense of Web Usage Statistics by Dana Noonan; Getting Real about Usage Statistics by Tim Stehle; and, the most negative of all, Why Web Usage Statistics are (Worse Than) Meaningless by Jeff Goldberg.


1. The basic model. Let's suppose I visit your web site. I follow a link from somewhere else to your front page, read some pages, and then follow one of your links out of your site.

So, what do you know about it? First, I make one request for your front page. You know the date and time of the request and which page I asked for (of course), and the internet address of my computer (my host). I also usually tell you which page referred me to your site, and the make and model of my browser. I do not tell you my user name or my e-mail address.

Next, I look at the page (or rather my browser does) to see if it's got any graphics on it. If so, and if I've got image loading turned on in my browser, I make a separate connection to retrieve each of these graphics. I never log into your site: I just make a sequence of requests, one for each new file I want to download. The referring page for each of these graphics is your front page. Maybe there are 10 graphics on your front page. Then so far I've made 11 requests to your server.

After that, I go and visit some of your other pages, making a new request for each page and graphic that I want. Finally, I follow a link out of your site. You never know about that at all. I just connect to the next site without telling you.


2. Caches. It's not always quite as simple as that. One major problem is cacheing. There are two major types of cacheing. First, my browser automatically caches files when I download them. This means that if I visit them again, the next day say, I don't need to download the whole page again. Depending on the settings on my browser, I might check with you that the page hasn't changed: in that case, you do know about it, and analog will count it as a new request for the page. But I might set my browser not to check with you: then I will read the page again without you ever knowing about it.

The other sort of cache is on a larger scale. I'm in the UK. Because the link across the Atlantic is sometimes very congested, we've set up a national cache. (Many individual ISP's also do the same thing.) I can set my browser to get your pages from the national cache instead of directly from you. If anyone else in the country has used the cache to look at your pages recently, the cache will have saved them, and will give them out to me without ever telling you about it. So hundreds of people could read your pages, even though you'd only sent it out once. Also, if the page I wanted wasn't already stored in the cache, the cache would ask for it from you on my behalf. This would mean that the request appeared to come from the cache, rather than from me. If several people did this, you would think that only one host was accessing the cache, rather than lots of different ones.


3. What you can know. The only things you can know for certain are the number of requests made to your server, when they were made, which files were asked for, and which host asked you for them.

You can also know what people told you their browsers were, and what the referring pages were. You should be aware, though, that many browsers lie deliberately about what sort of browser they are, or even let users configure the browser name. Also, a few browsers send incorrect referrers, telling you the last page that the user was on even if they weren't referred by that page.


4. What you can't know.
  1. You can't tell the identity of your readers. Unless you explicitly require users to provide a password, you don't know who connected or what their e-mail addresses are.
  2. You can't tell how many visitors you've had. You can guess by looking at the number of distinct hosts that have requested things from you. But this is not always a good estimate for three reasons. First, if users get your pages from a local cache server, you will never know about it. Secondly, sometimes many users appear to connect from the same host: either users from the same company or ISP, or users using the same cache server. Finally, sometimes one user appears to connect from many different hosts. AOL now allocates users a different hostname for every request. So if your home page has 10 graphics on, and an AOL user visits it, most programs will count that as 11 different visitors!
  3. You can't tell how many visits you've had. Many programs, under pressure from advertisers' organisations, define a "visit" (or "session") as a sequence of requests from the same host until there is a half-hour gap. This is an unsound method for several reasons. First, it assumes that each host corresponds to a separate person and vice versa. This is simply not true in the real world, as discussed in the last paragraph. Secondly, it assumes that there is never a half-hour gap in a genuine visit. This is also untrue. I quite often follow a link out of a site, then step back in my browser and continue with the first site from where I left off. Should it really matter whether I do this 29 or 31 minutes later? Finally, to make the computation tractable, such programs also need to assume that your logfile is in chronological order: it isn't always, and analog will produce the same results however you jumble the lines up.
  4. Cookies don't solve these problems. Some sites try to count their visitors by using cookies. But this can only work if you refuse to let people read your pages who can't or won't take a cookie. And you still have to assume that your visitors will use the same cookie for their next request.
  5. You can't follow a person's path through your site. Even if you assume that each person corresponds one-to-one to a host, you don't know their path through your site. It's very common for people to go back to pages they've downloaded before. You never know about these subsequent visits to that page, because their browser has cached them. So you can't track their path through your site accurately.
  6. You often can't tell where they entered your site, or where they found out about you from. If they are using a cache server, they will often be able to retrieve your home page from their cache, but not all of the subsequent pages they want to read. Then the first page you know about them requesting will be one in the middle of their true visit.
  7. You can't tell how they left your site, or where they went next. They never tell you about their connection to another site, so there's no way for you to know about it.
  8. You can't tell how long people spent reading each page. The same comments apply as in the previous paragraph. You can't tell which pages they are reading between successive requests for pages. They might be reading some pages they downloaded earlier. They might have followed a link out of your site, and they might or might not return later. They might have interrupted their reading for a quick game of Minesweeper. You just don't know.
The bottom line is that HTTP is a stateless protocol. People don't log in and retrieve several documents: they make a separate connection for each file they want. And a lot of the time they don't even behave as if they were logged into one site. Hence analog's emphasis on requests, rather than visits.

I've presented a somewhat negative view here, emphasising what you can't find out. Web statistics are still informative: it's just important not to slip from "this page has received 30,000 requests" to "30,000 people have read this page." In some sense these problems are not really new to the web -- they are present just as much in print media too. For example, you only know how many magazines you've sold, not how many people have read them. In print media we have learnt to live with these issues, using the data which are available, and it would be better if we did on the web too, rather than making up spurious numbers.


Analog's reports

This section summarises all of analog's reports, and the main commands which control them. For details on these commands, see the sections on Time reports, Other reports and Hierarchical reports. For exact details on what is counted in each report, see the section on Analog's definitions.

Top lines


Program started at Thu-24-Sep-1998 13:48.
Analysed requests from Wed-16-Sep-1998 09:52 to Mon-21-Sep-1998 02:04 (4.7 days).
The top two lines of the report tell you when the program was run, and which dates it includes data from.

General Summary


(Figures in parentheses refer to the 7 days to 24-Sep-1998 13:48).
Successful requests: 79,646 (48,947)
Average successful requests per day: 17,036 (6,992)
Successful requests for pages: 31,138 (18,689)
Average successful requests for pages per day: 6,660 (2,669)
Failed requests: 9,008 (6,378)
Redirected requests: 344 (235)
Distinct files requested: 8,180 (2,884)
Distinct hosts served: 6,640 (4,991)
Corrupt logfile lines: 2
Data transferred: 976,921 kbytes (627,067 kbytes)
Average data transferred per day: 208,967 kbytes (89,581 kbytes)
The General Summary contains some overall statistics about the data being analysed. For what the various lines mean, see the section on Analog's definitions. The figures in parentheses represent the seven days given at the top of this report: it's the seven days before the TO time if there was a TO command, or if not the seven days before the report was run.

You can turn this report on or off with the GENERAL command. You can include or exclude the figures for the last seven days with the LASTSEVEN command. You may get slightly different lines to those above, depending on other options you have set.

Monthly, Weekly, Daily, Hourly, Quarter-Hour and Five-Minute Reports


Each unit (+) represents 800 requests for pages, or part thereof.
week beg.: #reqs: pages: 
---------: -----: -----: 
13/Sep/98: 69614: 25277: ++++++++++++++++++++++++++++++++
20/Sep/98: 10032:  5861: ++++++++
Busiest week: week beginning 13/Sep/98 (26,654 requests for pages).
These reports tell you how many requests there were in each time period. They also tell you which was the busiest time period.

You can control whether each report is included or not with the appropriate ON or OFF command. You can control which columns are listed by the COLS commands. You can control which measurement to use for the bar charts and the "busiest" line by the GRAPH commands. You can determine how many rows are displayed with the ROWS commands. You can display the lines backwards or forwards in time by the BACK commands. You can change the graphic used for the bar charts with the BARSTYLE command.

Daily and Hourly Summaries


Each unit (+) represents 150 requests for pages, or part thereof.
day: #reqs: pages: 
---: -----: -----: 
Sun:  2031:  1193: ++++++++
Mon:  8001:  4668: ++++++++++++++++++++++++++++++++
Tue:     0:     0: 
Wed: 13934:  5915: ++++++++++++++++++++++++++++++++++++++++
[etc.]

These reports tell you the total number of requests in each day of the week, or each hour of the day, over the time period given at the very top of the report. (It's not the average, nor is it the figures for just the last week or last day).

You can control whether each report is included or not with the appropriate ON or OFF command. You can control which columns are listed by the COLS commands. You can control which measurement to use for the bar charts by the GRAPH commands. You can change the graphic used for the bar charts with the BARSTYLE command.

Other reports


Listing the first 5 files by the number of requests, sorted by the number of requests.
#reqs: %bytes:       last date: file
-----: ------: ---------------: ----
 4123:  2.29%: 21/Sep/98 01:57: /~sret1/analog/
 3064:  0.15%: 21/Sep/98 01:54: /~sret1/analog/analogo.gif
 1737:  0.01%: 21/Sep/98 01:53: /~sret1/images/bar1.gif
 1692:  0.01%: 21/Sep/98 01:53: /~sret1/images/bar16.gif
 1685:  0.01%: 21/Sep/98 01:53: /~sret1/images/bar8.gif
67345: 97.54%: 21/Sep/98 02:04: [not listed: 8,175 files]

The rest of the reports are all quite similar. Here is a list of them. If you're unfamiliar with some of the terms, see the section on Analog's definitions. Whether you can get all of these reports depends on what information is recorded in your logfile.

As usual, you can control whether each report is included or not with the appropriate ON or OFF command. You can control which columns are listed by the COLS commands. You can change how the reports are sorted by the SORTBY commands. You can control how many items are listed by the FLOOR commands. You can include or exclude individual items with the output INCLUDE and EXCLUDE commands. You can change the names of items in the reports with the OUTPUTALIAS commands.

The "not listed" line at the bottom counts those items which didn't get enough traffic to get above the FLOOR for the report, and those which were explicitly EXCLUDEd.

Most of these reports have a hierarchical structure, like this example for the Domain Report:


Listing the first 5 domains by the number of requests, sorted by the number of requests.
#reqs: %bytes: domain
-----: ------: ------
13243: 16.23%: .com (Commercial)
 1262:  1.26%:   aol.com
11783: 25.64%: .jp (Japan)
 9592: 22.19%:   ad.jp
 1043:  1.97%:   co.jp
10073: 11.62%: .net (Network)
 1926:  1.71%:   uu.net
 9657: 13.31%: [unresolved numerical addresses]
 7388:  8.04%: .uk (United Kingdom)
 5792:  5.74%:   ac.uk
 1510:  1.99%:   co.uk
18502: 25.16%: [not listed: 82 domains]

You can control which items are listed on the lower levels by the SUB family of commands (the report INCLUDEs and EXCLUDEs only work at the top level). There are also separate sub-SORTBY and sub-FLOOR commands for the lower levels. (Called ARGSSORTBY and ARGSFLOOR for some reports, such as the Request Report.) Notice that the lower levels are always listed with their parents, so they break up the sort order. Also, they don't count towards the total number of items listed (so there are only 5 domains listed in the example above).

Which files are linked to in the Request Report is controlled by the LINKINCLUDE and LINKEXCLUDE commands, and which files are linked to in the various referrer reports is controlled by the REFLINKINCLUDE and REFLINKEXCLUDE commands. The links in the Request Report are also affected by the BASEURL command.

Bottom lines


This analysis was produced by analog3.32/Unix.
Running time: 8 seconds.

At the end of the report you can see which version of analog produced the report, and how long the report took to run.

Analog's definitions

This section describes how analog defines its terms, and exactly what is counted in each category. We start with some basic definitions.

The host is the computer which has asked you for a file. The file might be a page (i.e., an HTML document) or it might be something else, such as an image. The total requests counts all the files which have been requested, including pages, graphics, etc. (Some people call this the number of hits, but that word is used in different ways by different people, so I avoid it). The requests for pages obviously only counts pages. The referrer for a request is the place that the user (or his computer) heard about your file from. If he followed a link to reach a page, it will be the previous page. In the case of a graphic on a page, the referrer will be the page containing the graphic.


Analog recognises four categories of request, based on the HTTP status code of the request. You can see the total number of requests for each status code, and what the codes mean, in the Status Code Report. (Or see the HTTP spec for a detailed description.)

First, successful requests are those with HTTP status codes in the 200's (where the document was returned) or with code 304 (where the document was requested but was not needed because it had not been recently modified and the user could use a cached copy). Sometimes the logfile line doesn't contain a status code. These lines are also assumed by analog to be successes.

Redirected requests are those with other codes in the 300's, indicating that the user was directed to a different file instead. The most common cause of these requests is that the user has incorrectly requested a directory name without the trailing slash. The server replies with a redirection ("you probably mean the following") and the user then makes a second connection to get the correct document (although usually the browser does it automatically without the user's intervention or knowledge). The other common cause of redirected requests is their use as "click-thru" advertising banners.

Failed requests are those with codes in the 400's (error in request) or 500's (server error). They come about for a variety of reasons, but the most common are when the requested file is not found or is read-protected.

Finally, requests returning informational status code are those with status codes in the 100's. These are very rare at the moment.

There are a few other types of logfile lines listed in the General Summary. Lines without status code refers to those logfile lines without a status code, and the successful requests in the General Summary only counts the ones with a status code: except if the line contains the name of the file requested, and the filename is being counted (not starred in the LOGFORMAT), then it's listed in the successes. Corrupt logfile lines are those which analog didn't manage to parse. And unwanted logfile entries are ones which we have specifically excluded. Successful requests for pages refers to those lines on which the file requested was given and was defined as a page by the PAGEINCLUDE command.


Most reports only include successful requests in calculating the number of requests, requests for pages, bytes, and last date: unless, of course, the report is a redirection or failure report. There is a further restriction on the time reports, the status code report and the file size report: the logfile line must also contain the name of the file requested, and the filename must be being counted. This is necessary to stop double counting if the server uses separate logs.

The "not listed" line at the bottom of each of the non-time reports includes both those items which were explicitly excluded at the output stage with an OUTPUTEXCLUDE command, and those which were not listed because they were below the floor for the report.

The figures in parentheses in the General Summary are for the last seven days: either the seven days before the TO time, or if no TO time is given, the seven days before the time of the program start. (It would be nicer to use the seven days before the last time in the logfile, but we don't know when this is until we've read the whole logfile, and by then it's too late.) The figures for the last seven days are not included if all, or none, of the requests fall in the last seven days.

In the Domain Report, "domain not given" means that the hostname did not contain a dot. "Unknown domain" means that it did contain a dot, but that the domain name was not in the domains file. The hosts and domains concerned can be listed by turning debugging on.


Errors and warnings

This section lists all the errors and warnings which analog can produce, together with a short explanation.

First, you should understand the difference between a crash, an error, a warning, and a debugging message. First, a crash is when analog exits prematurely, without producing the whole output file. The system might give a message, but analog will not give one of its own messages. Analog should never crash. If it does crash, please tell me about it.

An error is something which stops analog finishing its job. Whenever an error is detected, analog gives a message starting something like analog: Fatal error: and will then tell you what type of thing went wrong before quitting.

A warning is a problem which is not fatal to analog: it will keep on with its processing. These vary from the possibly serious, such as files which could not be found, to purely informational. They produce a message starting analog: Warning. You can turn warnings off using the WARNINGS command.

Finally, a debugging message gives information on the state of the program. They just begin with a single code letter followed by a colon. You don't get any debugging messages unless you've asked for them.

Now I shall describe all the possible errors and warnings in detail.


Errors

Ran out of memory: cannot continue
Analog ran out of memory. Try increasing the memory available to the process, if your operating system will allow it, or using the LOWMEM commands.
Cannot ignore mandatory configuration file
See the section in the Readme on the mandatory configuration file.
Can't find language file
Language file too short
Language file contains excessively long lines
Analog can't run without a well-formed language file. See the documentation on language files.
Attempted to read more than 50 configuration files
The most likely explanation for this is that you have accidentally created a loop using the CONFIGFILE command, for example if a configuration file includes itself.
Incorrect default given in analhead.h
Default given in analhead.h too short
If you've compiled your own version, and you've specified an incorrect configuration in the file analhead.h, analog gives up to allow you to fix it.
Failed to open output file for writing
Analog couldn't create, or couldn't write to, the output file you specified.
Cache output file already exists: won't overwrite
Analog won't overwrite an old cache file. You must move or delete it yourself first.
OUTFILE and CACHEOUTFILE are the same
OUTFILE and CACHEOUTFILE both set to stdout
This can't be what you wanted, because one would overwrite the other.
OUTPUT NONE and CACHEOUTFILE none selected
You requested no output.

Warnings

Remember that warnings are not fatal, and that you can turn them off using the WARNINGS command. The possible warnings come in several different categories, shown by a letter in the warning message. The categories are as follows.

Category C

This category indicates an incorrect configuration. Analog will either ignore what you said, or try and do the best it can with it. There are too many warnings in this category to list completely. You will have to consult the documentation for the particular configuration command that gave an error. If you get an error for a command which used to work in a previous version of analog, have a look in the section Updating from older versions.

Category D

This is for configurations which might be intended, but which look suspicious.
LOGFORMAT with no subsequent logfile
You have specified a LOGFORMAT command, but no subsequent logfile to which it could be applied. Most likely you put the LOGFORMAT after the LOGFILE command. You must put the LOGFORMAT before the LOGFILE command or use DEFAULTLOGFORMAT instead. See the section on Specifying a log format for more details.
Offset not a multiple of 30
Offset more than 25 hours
The time offsets are meant to be for correcting between differences in time zones. These differences are usually multiples of 30 minutes between -25 and +25 hours. Maybe you specified the offset in hours instead of minutes by mistake, or something like that.
FROM time is later than the present
Usually this will mean that no entries are counted. Analog doesn't try and correct it in case the clock on your computer or your server is wrong -- but you would be better using TIMEOFFSET or LOGTIMEOFFSET to correct those clocks.
SORTBY doesn't match FLOOR
SORTBY (or FLOOR) isn't included in COLS
Within one report, it's helpful to your readers to have the sort method and the floor compatible, and both included in the COLS. (See the section on Non-time reports).
Time reports have not all got same value of BACK
It's usually helpful to have all the time reports running in the same direction.
Report contains no COLS
You've got an empty COLS list for one report, so you'll just get a list of names, not any information about them.
LOWMEM 3 prevents that item being cached
You're making a cache file, but one item is not being recorded because of a LOWMEM command, and will therefore not be saved in the cache file.

Category E

There is only one warning in this category.
Redirecting future diagnostic messages
You've used an ERRFILE command to change the destination of errors, warnings, debugging and PROGRESSFREQ diagnostics. This is just warning you so that you don't miss any messages.

Category F

This category is for diagnosing files which couldn't be opened or read successfully. These can be serious, but most of the messages should be self-explanatory. There are two worth mentioning specifically.
Can't auto-detect format of logfile
The LOGFORMAT is set to automatic detection, but the first line of the logfile is not in any of the standard formats. This error can often be generated when you try and specify your own LOGFORMAT but put it after the LOGFILE command so that it is not in effect for that logfile.
DNS lock file already exists
To stop two copies of analog trying to write the DNS file at the same time, an empty "lock file" is created, which tells the second copy of analog to use DNS LOOKUP instead of DNS WRITE. If analog crashes, it may not delete its lock file. So if you get the "already exists" message even though no other copy of analog is running, you may need to delete the lock file yourself.

Category L

When analog finishes reading a logfile, it checks whether there might have been something wrong with it.
Large number of corrupt lines
This could indicate a problem with the logfile, or with the LOGFORMAT specification. The possible causes are described in the section about Choosing a logfile.
Logfiles overlap: possible double counting
Two logfiles which were counting the same type of item overlapped in time. Maybe you read two copies of the same logfile. Or maybe the LOGFORMAT specification should have told analog to ignore some of the items. Or it could be that the logfiles are in fact disjoint and there wasn't really a problem: analog only checks the dates of the logfiles, not the details of them. In this last case, the statistics produced will still be correct.

Category M

This category is for warnings about logfile formats which might make analog produce unexpected results.
Logfile contains lines with no [whatevers], which are being filtered
This is usually harmless. It is perhaps best explained by example. Suppose you are excluding certain files from the analysis, but that you are also analysing a browser log which just contains information about the browsers used, not which files they read. Then we can't exclude the browsers which read the excluded files, because we don't know which they were, so all browsers will be included.
Logfile contains lines with no file names (or bytes): page (or byte) counts may be low
If a logfile line doesn't contain a file name, analog will assume that the request wasn't for a page. Similarly, if it doesn't give the number of bytes transferred, analog will make the bytes zero. So the number of page requests or bytes credited to the other items on that line will then be too low.

Category R

This is used when analog turns off an empty report. This could be because none of the relevant items were included in any of the logfiles, or perhaps beacause a LOWMEM command stopped them being recorded.

Broken Pipe

This is not an analog-generated warning, but it can result from analog closing a logfile it's uncompressing without reading the whole of it, when it determines that it will not need it.

Frequently asked questions

This list is divided into six sections:
  1. Getting Started
  2. Basic Configuration
  3. Understanding the Output
  4. Advanced Usage
  5. Form Interface
  6. Design Decisions
Sometimes two or three questions have the same answer!

A. Getting Started

Most questions in this category are answered in the section entitled Starting to use analog. If you can't get analog running you should look there.
  1. Analog just flashes up a DOS window and then quits.
    This is the correct behaviour. It should have created a report called Report.html. See Starting to use analog under Windows.
  2. When I try and compile analog, it gives me an error (e.g. on SunOS 5).
    Maybe you need to edit the Makefile. There are some platform-specific notes in the section Starting to use analog on other platforms, and in the Makefile itself.
  3. Analog didn't write the logfile when I ran it.
    Analog doesn't write the logfiles. Your web server writes the logfiles, and analog just reads them. See Starting to use analog.
  4. Analog is looking for files like /usr/local/etc/httpd/analog/analog.cfg which don't exist.
    You have to set the location of these files in analhead.h before compiling.
  5. Analog won't read extended logfiles generated by IIS.
    This server writes the date only at the top of the logfile, not on every line. But it doesn't write a new date if the date changes during the logfile, so analog can't tell which date later entries in the log occurred on. More details, and what to do about it, are in the section on Choosing a logfile.
  6. What does this error message mean?
    See the section on Errors and warnings.
  7. I tried to run analog from my browser, but it didn't work.
    You can't run analog itself directly from a browser. You need to use the CGI program which outputs the correct HTTP headers.
  8. Is analog Year 2000 compatible?
    Yes (and so are all previous versions). It interprets two-year dates in input as lying between 1970 & 2069 inclusive.

B. Basic Configuration

Analog has lots of configuration commands, all of which are in the section on Customising analog. Here are some of the most common questions. If your question isn't answered here, you could also try looking in the index.
  1. I want to make several different statistics pages. Do I have to install several copies of analog?
    No. Just install it once, and run it with different configuration files.
  2. Why doesn't the Daily Report only show the last six weeks?
    This is controlled by the FULLDAYROWS command.
  3. How do I get information on just my pages, not everybody's?
    Use the FILEINCLUDE command.
  4. How do I ignore accesses from my site?
    Use the HOSTEXCLUDE command.
  5. How do I get the Request Report to list files with fewer than 20 requests?
    Use the REQFLOOR command.
  6. Why are my browser and referrer reports empty?
    Maybe your logfile doesn't contain any browser and referrer information?
  7. Why do the time reports all list 0 requests?
    They probably only list 0 requests for pages. Maybe you need to use PAGEINCLUDE to count more files as pages.
  8. Why can't I have P in the REQCOLS or REQSORTBY?
    The number of page requests doesn't make sense in the Request Report because it's either the same as the number of requests (if the file is a page) or zero (if it isn't). If you want to list only pages in this report, use REQINCLUDE pages instead.
  9. How can I combine all the hosts from each company in the Host Report?
    You can see this information in the Domain Report if you use the SUBDOMAIN command: for example SUBDOMAIN *.com. (Or you can several HOSTALIAS commands -- but I think the first solution is better).
  10. I want to list (or not to list) referrers with their search arguments in the Referrer Report
    To see the search arguments you may need to set the REFARGSFLOOR lower. To avoid seeing them, you could set the REFARGSFLOOR higher, or alternatively use the REFARGSEXCLUDE command to ignore them either for all files or just for particular files.
  11. Can I find out the number of hosts that have accessed each file?
    or Can I find out the number of hosts visiting on each day?
    No; these would be useful, but it would require too much memory (you need to store all host/file pairs, or all host/day pairs). If there's a particular file you're interested in, use FILEINCLUDE to restrict the analysis to only that file. If there's a particular day you're interested in, use FROM and TO to restrict the analysis to only that day. You can see the last date on which each host visited by using the HOSTCOLS command.
  12. Can I get data on individual visitors, or visits, to my site?
    No, it's not technically possible, and don't believe any program which tells you it is. See the section on How the web works for details.

C. Understanding the Output

Most of the questions in this category are answered in the section on What the results mean, which I really recommend you read if you want to understand what analog is telling you.
  1. How do I find out the number of hits from your data?
    I don't use the word hits, because people use it in different ways, so it's misleading. I use requests for the number of transfers of any type of file (text, graphics, ...), and page requests for the number of transfers of HTML pages. See the section on Analog's definitions for more information.
  2. Why are there so many referrers from my own site?
    These come from all the internal links on your site, and all the graphics on your pages. See the section on How the web works for more information. If you don't want to see them, you can use REFREPEXCLUDE to exclude them.
  3. Why doesn't analog agree with the counter on my page?
    There are lots of possible reasons. Do they both start from the same date? Are you just looking at requests for that one page with analog, not for all your other pages and graphics? Also, analog will record all requests to that page; if it's a graphic, your counter will only measure requests from people on graphical browsers that reached that place on the page.
  4. Why do I only get "unresolved numerical addresses" in the domain report?
    Your server only records the numerical IP address of the hosts that contact you, not their names. Read the section about DNS lookups, or turn DNS resolution on in your server.
  5. Why are my CGI scripts not listed in the Request Report?
    If they cause a redirection to another page, they will be listed in the Redirection Report, rather than the Request Report.
  6. Why are directories listed in the Request Report?
    They are not directories, they are pages with the same name as the directory. For example, I have both a directory called /analog/ and a page called /analog/ (which happens to be the same as /analog/index.html).
  7. When someone reads one of my pdf files, it scores dozens of hits.
    PDF files are often downloaded and read one page at a time, and each page will then count as a separate request. Although this is not ideal, it's much less clear what to do about it. Analog has no way of knowing how many pages constituted a single download in the reader's mind. As usual, we can only reliably report how many requests there were at the server, not guess what users did with the file later.

D. Advanced Usage

  1. How can I do such-and-such with a command line option?
    Use the +C option to put any configuration command on the command line.
  2. I want a list of all command line arguments.
    There is a list in the index.
  3. Can analog read FTP logfiles?
    Yes, to some extent. But you will have to write your own LOGFORMAT as there is no standard format for FTP logfiles. And you may find it difficult to read anything other than the lines corresponding to file transfers.
  4. How can I run analog automatically every day?
    This depends on your particular machine. On Unix, you need to run analog as a cron job (see "man cron"). This is my cron command to run at 1:50am every day:
    50 1 * * * $HOME/bin/analog
    On Windows NT you can do the same with the at command, but only an administrator can run at. On Windows 98, it should be possible with the Task Scheduler, although I haven't tried it. On Windows 95 it's not possible as far as I know.
    On Mac, there are programs called Cron or CronoTask to do this.
  5. I host lots of virtual domains. How should I set up analog?
    In my opinion, if you haven't got many virtual domains, the best thing is to log each one to a different logfile and analyse them independently. If you have got lots of virtual domains, you may have to log them all to the same logfile. In that case, make sure to log the virtual host name on each line. Tell analog the LOGFORMAT if necessary, and then use the VHOSTINCLUDE command to pick out the lines you want. Alternatively, split the single logfile into separate logfiles before running analog on it; this avoids making several passes through the whole logfile.
  6. Can I make multiple reports with one pass through the logfile?
    Not at the moment. I want to do this in a future version, but it will require some considerable work.
  7. I ran out of memory when trying to run analog. What can I do?
    See the section on Coping with low memory.
  8. You're processing 20,000,000 requests in under 10 minutes. Why is mine much slower?
    or Analog appears to stall.
    If you have DNS lookups on, they are very slow. Otherwise, it probably depends on the speed of your computer and disks, and what other programs are running at the same time. You can use the PROGRESSFREQ command to see if it's really stalled or whether it's just being slow. If you are running out of memory, you might find analog's LOWMEM commands helpful.
  9. How do I make a link on my page that runs analog?
    Link to the anlgform program, with the desired options. But be careful about the load on your server.
  10. Do I have to save all my old logfiles?
    or Can analog make statistics from an old report instead of reading the whole logfile again?
    These questions are answered in the section about Cache files.

E. Form Interface

There is also a section on troubleshooting in the documentation about the form interface.
  1. My browser asked me to save anlgform.exe, rather than running it.
    You have to tell the server to execute the CGI program, not just send it out like it would for a normal file. Often this is done by putting it in a special /cgi-bin/ directory.
  2. Why does the form interface give "Document Returned no Data"?
    If it doesn't happen for a while, then probably the server is giving up before the analog process has finished running. Increase the timeout interval on the server.
  3. The images don't appear when running analog from the form interface.
    You probably need to change the IMAGEDIR. If the images are in your /cgi-bin/ directory, the server will try to execute them instead of just sending them out.
  4. How can I specify different logfiles from the form interface?
    Just add a new field to the form with name=lo
  5. Why do I get some reports that weren't requested on the form?
    If a report is neither included nor excluded on the form, the system default will be used. This will depend on your configuration files and on compile-time settings.

F. Design Decisions

or "Why didn't you do it this way?"
  1. Can I change the background colour of my output?
    or Why doesn't the HEADERFILE replace the whole </head> of the output file?
    or Why not use HTML tables?
    These things don't work in HTML 2.0, which is the sort of HTML analog writes.
  2. Well then, why not use HTML 4.0?
    Unfortunately my bar charts don't work in HTML 4.0. Also, not all browsers can cope with some features of HTML 4.0, such as tables. HTML 2.0 works on all browsers.
  3. Why not just do DNS resolution of the hosts that actually make it into the Host Report?
    There is one theoretical and one practical problem. Theoretically, the problem is that which hosts do make it into the Host Report can change when the DNS lookups have been done. And practically, this wouldn't help identify the busiest countries or organisations, which is usually what you really want to know. However, there is a Perl script on the helper applications page to do this.
  4. Couldn't you do the DNS lookups faster with threads?
    The problem is, the standard commands for DNS lookups are not thread-safe on many platforms, so it would involve a lot of platform-specific code. Again, there are programs for specific platforms on the helper applications page.
  5. Why doesn't analog analyse the error_log?
    This is answered in detail on the What's new? page. But in summary, it's too difficult because each server has a different format for its error log. The various failure reports are good enough for most purposes.
  6. My server lists local names in the logfile. Can you put a common suffix on them automatically?
    This wouldn't be a good idea, because things like "unknown" would get the suffix. You can always add them using HOSTALIAS.
  7. Can you extrapolate from the current month's partial data to produce a prediction for the whole month, based on the rate so far?
    No. There are too many problems in trying to produce anything sensible, especially near the beginning of the month. Different days of the week and different times of day cause lots of problems. I would prefer to produce raw accurate data than suspect derived data.
  8. Can you extend the Domain Report to say which US states people visited from?
    No. Some programs pretend to do this, but you can actually only tell which state the computer the person was using is in, which may be quite different from where the user was for ISP's or other large organisations.
  9. Why not use language codes instead of country codes for the names of the language files?
    People are more familiar with the country codes. And not all of my languages have language codes anyway.
  10. Why don't you sell analog?
    I didn't write analog for the money, and I'm happy just to see people use it. Also, by making it open source, lots of people send me ideas and code to include in future versions. How do you think I got all those languages? (Of course, if you want to send me money, or gifts in kind, or even just postcards...).

If there's still something you can't figure out, see the next section for how to get help with analog.

Mailing lists

I welcome mail about analog, both praise and bug reports! I and others are also usually happy to help people who have trouble with analog: it helps me to find bugs, and know where the documentation is unclear.

There are three mailing lists for analog.

analog-announce
Announcements about analog. I post to this when there are new versions, for example. Usually only gets a few messages a year.
analog-help
Getting help with analog from experienced users. This is the place to go if you have trouble setting up or configuring the program. Usually you will get a swift reply. There is also a searchable web archive of this list.
analog-author
This just goes to me. Use for private comments. You may or may not get a swift reply, depending how busy I am with other things.

To subscribe to the analog-announce mailing list, send a message to analog-announce-request@lists.isite.net with the word subscribe in the main body of the message. Note that the word has to be in the body of the message, not the subject. Also please note the -request part of the address.

If you want to get help with analog, please check the following simple things first.

  1. Read the FAQ. Maybe I've answered your question already. If I have, I'll just direct you to the FAQ, not answer it again.
  2. Read the list of known bugs at my site, to see if your bug is already known about.
  3. Read the other relevant pages of the Readme, particularly the sections on Starting to use analog and Customising analog. You may also find the index useful. I don't appreciate people who are too lazy to read the documentation. (If the documentation is unclear, or the relevant paragraph is too well hidden, then that's a different matter. Of course I want to know about that.)
  4. Have a look in the web archive of the mailing list to see if your question has already been answered there.
  5. If analog isn't doing what you thought you asked it to, then run it with the PRINTVARS ON configuration command, and see what options it thinks it's meant to be using.
I'm sorry to be so fussy, but a lot of the mail on the list really needn't have been sent at all, and just wastes the time of everybody on the list. As I say, I really do welcome genuine mail.

If you still need help, write to the analog-help mailing list. First you have to subscribe (you can't send mail without subscribing) by sending a message to analog-help-request@lists.isite.net with the word subscribe in the main body of the message. (Note that the word has to be in the body of the message, not the subject.) After you've received an acknowledgement that you have subscribed, you can send mail to analog-help@lists.isite.net. Don't try and use this address for subscribing though. It won't work!

Please do the following when you send mail to the list.

  1. Describe exactly what you did, what you expected, and what the computer did. Include the exact text of any error messages, not a précis.
  2. Mention which version of analog you are using, on which operating system.
  3. Give your mail a subject line which indicates immediately what aspect of analog it is about. (This is useful for the archive).
  4. Do not send long files or attachments unless you're asked to. We do not want to see your configuration file, your header file, your output file, or any logfile over 10 lines long. They are almost always useless to us. And anyway, excessively long messages will be rejected by the mailing list server.

If you want to send a private message to me, you can send it to me at analog-author@lists.isite.net.

Many thanks to ISite for providing these mailing lists for me, and to The Mail Archive for archiving the analog-help list.


Helper applications

Some people have written helper applications for analog. These are independent programs which work together with analog to make certain tasks easier. There are graphical configuration tools, for example, or tools which post-process analog's output to produce graphs. There are tools to do the DNS lookups more quickly, configuration files for certain jobs, and lots of other things.

These helper applications are all listed at the analog site. The list is growing quite quickly, so I'm not distributing it with the program. But I strongly recommend you go to the analog home page (or even better, to your local mirror site) and check it out.


Acknowledgements

Many people have helped me with analog, and I can't thank them all specifically. But I do appreciate everyone who's given me feedback or sent me bug reports.

Thanks are due to the author of getstats, Kevin Hughes. In the days before analog there were only three serious logfile analysis programs, and only one of them, getstats, had attractive output. I wrote analog when getstats stopped being able to cope with the size of our logfile, but my output still looks somewhat similar to his.

Thanks are also due to all those who helped in the early stages of writing this program, and gave me the encouragement to continue with analog and to release it publicly. Those who made helpful suggestions during beta testing are numerous, but I must mention particularly Dan Anderson, Martyn Johnson, Joe Ramey, Chris Ritson, Quentin Stafford-Fraser and Dave Stanworth. Above all Gareth McCaughan gave me lots of programming advice. The program would have run much more slowly without him.

Many people have provided mirror sites for analog, starting with Dave Stanworth (again!). The full list of mirror sites is listed elsewhere; thanks to all of them. Many thanks also to ISite for providing the mailing lists, and to The Mail Archive for archiving the analog-help list.

Mark Roedel first suggested porting analog to different platforms, and made the original DOS port. Shortly afterwards, Jason Linhart made the Mac port, and has continued to contribute lots of extra code for that platform and for the program in general. The Mac version also includes code contributed by Stephan Somogyi and Nigel Perry, and uses the ZLib library by Jean-loup Gailly & Mark Adler. Later ports were made by Dave Jones (VMS), Magnus Hagander (Win32), Nick Smith (Acorn RiscOS), Scott Tadman (BeOS), and Martin Kraemer & Holger Schranz (BS2000/OSD). Ivan Martinez compiles the OS/2 version. The BS2000/OSD port includes code developed by the Apache Group for use in the Apache HTTP server project. If NEED_MEMMOVE is defined at compile time, then this product includes software developed by the University of California, Berkeley and its contributors.

Thanks to all the other people who have contributed bits of code too. I apologise for not having room to name all of them. And thanks to those who have written standalone helper applications, for making analog more usable.

For the translations into other languages, many thanks are due to the following: Francesc Rocher, M. Mercè Llauge & Francesc Burrull i Mestres (Catalan), Yang Meng (Chinese), Jan Simek (Czech), Adrian Price (Danish), Ferry van het Groenewoud & Joost Baaij (Dutch), Henrik Huhtinen, Steve Kelly & Andrew Staples (Finnish), Patrice Lafont, Lucien Vieira, Jean-Marc Coursimault & Lionel Delaude (French), Mario Ellebrecht, Martin Kraemer, Holger Schranz & Thomas Jacob (German), Dimitris Xenakis (Greek), Laszlo Nemeth (Hungarian), Gustaf Gustafsson (Icelandic), Furio Ercolessi & Luca Andreucci (Italian), Takayuki Matsuki, Stephen Obenski and Motonobu Takahashi (Japanese), Byungkwan Kim (Korean), Jurijs Turjanskis (Latvian), Ingrid (Lithuanian), Jan-Aage Bruvoll, Espen Bjarnø & Pâl Løberg (Norwegian Bokmâl), Magni Onsøien (Norwegian Nynorsk), Wlodek Lapot, Tomek Wozniak & Marcin Sochacki (Polish), Ivan Martinez (Brazilian Portuguese), Jaime Carvalho e Silva (European Portugese), Alex Mihaila (Romanian), San Sanych Timofeev, Boris Litvinenko & Vyacheslav Nikitich (Russian), Mile Peric (Serbo-Croatian), Stefan Billik (Slovak), Andrej Zizmond (Slovene), Javier Solis, Alexander Velasquez, Alfredo Sola & Martin Perez (Spanish), Björn Malmberg (Swedish), and Nezih Erkman (Turkish).

Finally, thanks to all of you for using the program!


What's new in this version?

This section lists the major new features in each version of analog. There's also another section about how to upgrade from older versions of analog, listing which commands have changed or been abolished, or how the output of this version differs from that of previous versions.
3.32 (01-Sep-99)
Bug fixes, including: New VMS build scripts. Let me know of any compilation problems.
Computer-readable output now reports version of analog used.
Improved some diagnostic messages.
New language Serbo-Croatian; new domains files for Italian and Russian; corrected Polish language files.
New documentation on Analog's reports and Quick reference.
Now uses named anchors throughout the documentation, so that cross-references link to the right part of a page.
3.31 (19-Jun-99)
New command BARSTYLE; you will need to use new images.
Russian language file corrected.
Some bug fixes, including one important one correcting cache file output.
3.3 (19-May-99)
New commands ERRFILE, DNSLOCKFILE, APACHELOGFORMAT and APACHEDEFAULTLOGFORMAT.
Can include the date in the name of the OUTFILE and the CACHEOUTFILE.
Support for WebSite logfiles.
New token %U in log formats for "Unix time" (seconds since 1970).
Won't overwrite old cache files.
Now works properly on SunOS 4.
Fix for occasional crashes on Windows.
Checks language files are not too long.
"Last seven days" data now calculated more accurately and displayed more clearly.
Computer-readable output now reports SORTBY's as well as floors.
Revised Makefile will work with older make's.
Corrected Catalan language files.
Includes form interfaces in French and Japanese.
LOGFORMAT documentation now includes the LOGFORMAT commands for all built-in log formats.
3.2 (04-May-99)
Bug fixes: in particular REFLINKINCLUDE pages now works; and cache files now include all items even if they're not wanted for the main report.
Lines without a particular item now work properly with INCLUDE and EXCLUDE commands. This can cause differences in results from previous versions.
New version of form interface to work round bug in Microsoft Internet Information Server.
New command NOROBOTS.
Backslashes are now coerced to forward slashes in filenames and user names. While not always technically correct, it often is, and it makes them behave correctly in other parts of the program.
User names are now treated as case insensitive. Let me know if this causes a problem on any system.
Computer-readable output style now reports floors.
Rewritten Unix Makefile, and VMS build script. Let me know of any compilation problems.
New languages: Catalan, Icelandic, Japanese, Korean, Latvian, Lithuanian. Corrected Spanish language files and French domains file.
LANGUAGE now selects local domains file automatically, where available.
Removed support for NetPresenz logs. The reasons are in the section on how to upgrade.
Form interface documentation rewritten; FAQ broken into sections; sections on logfiles and log formats separated and rewritten; new section on helper applications; and dozens of other improvements to the documentation.
3.11 (26-Nov-98)
Bug fix version.
Microsoft's attempt at W3 extended format is now understood even if there is a second #Fields: line in the logfile.
There is also a fix for a new Microsoft bug which results in an non-standard common format.
Intermittent crashes under Windows fixed.
Mailing lists announced.
3.1 (17-Oct-98)
Understands Microsoft's attempt at W3 extended format.
Several bugs fixed, including one that caused occasional crashes and one that caused the output to grow and grow.
Form interface works on Windows.
Allows aliases with two or more *'s on left hand side, if right hand side contains no *'s.
Aliases work properly with CASE INSENSITIVE.
Numerical SUBDOMAINs fixed.
Understands more WebSTAR and Netscape tokens.
Accents in domains file work.
LOGFORMAT removed from form interface as security risk.
Several warning messages improved.
Report aliases and in/exclusions shown in settings output.
Character set declared at top of output.
Spanish, Dutch, Norwegian (Bokmål and Nynorsk), Finnish, Turkish, Greek, Polish, Russian & Chinese language files included.
3.0 (15-Jun-98)
Corrected W3 extended format.
Fix for broken strcmp() function on SunOS 5.
Portuguese, Brazilian Portuguese, Danish and Hungarian language files included.
Precompiled executable for OS/2 available.
2.91beta1 (04-Jun-98)
Form interface included.
Uses less memory when compiling reports.
New operating system, BS2000/OSD, and code for EBCDIC character set.
New command DEFAULTLOGFORMAT.
LASTSEVEN and BASEURL reinstated.
More information added to PRINTVARS output.
AppleScript support for Unix-style command lines added to Mac version.
Now works on SunOS 4, and other small bug fixes.
French, German, Swedish, Czech, Slovak, Slovene and Romanian language files included.
One page version of the Readme included in the documentation.
2.90beta4 (09-Apr-98)
Mended DNS cache file reading, which I broke in yesterday's release.
2.90beta3 (08-Apr-98)
Fixed bug that caused a crash while giving warning messages on SunOS; bug that caused configuration files that called other configuration files not to be completed; and other smaller bugs.
Italian language files included.
2.90beta2 (03-Apr-98)
Separate LOGFORMATs for North American and international date formats, when using Microsoft or Netpresenz logs.
Understands the AppleShare IP server's attempt at the WebSTAR format.
Directory report now works properly even if you use the second argument to the LOGFILE command.
Wild cards in filenames work properly on the Mac.
Other small bug fixes.
One speed improvement (I gain about 3%).
Several corrections and clarifications to the documentation.
2.90beta1 (27-Mar-98)
This version is a completely rewritten version. Every single line of code is new. The whole code is shorter despite considerable improvements in functionality. Several people have reported that it is significantly faster. The most important new features are: The following features have been abolished. The following features are not yet present, but will be added by version 3.
What was new in version 2?
What was new in version 1?

Upgrading from earlier versions

This section lists those commands which existed in older versions of analog, but which have been changed or abolished in this version. It also lists reasons why the same input might now produce different output. The new features in this version are listed in the section What's new in this version?.

Upgrading from 3.3 and earlier

Upgrading from 3.2 and earlier

Upgrading from 3.11 and earlier

Upgrading from 3.0, Win32 form interface

Upgrading from 2.90beta1

Upgrading from 2.11 and earlier

Upgrading from 2.0, Win32 users

Upgrading from 1.92 and earlier, Mac users

Upgrading from 1.9beta's

Upgrading from 1.2's and earlier


What was new in version 2?

This section lists the new features which were in version 2 of analog.
What's new in version 3?
2.11 (14-Mar-97)
Minor bug fixes to yesterday's release.
2.1 (13-Mar-97)
Language support rewritten, causing reduction in code size of 2200 lines.
New configuration command LANGFILE.
New Acorn RiscOS version.
Page requests per day reported.
Bug fix: CASE INSENSITIVE could cause %7E-type conversions not to take place.
2.0.2 (04-Mar-97)
DNS lookups and wildcards should now work in the Win32 version.
New configuration command PRINTVARS.
Fix for zero length hostnames after DNS lookups.
Minor corrections in French and Spanish translations.
2.0 (10-Feb-97)
New native Win32 version.
Wildcards allowed in filenames on Mac.
Ignores browser "-".
1.93beta (18-Jan-97)
New commands BROWALIAS, CONFIGFILE and PROGRESSFREQ.
Form program can now call configuration files.
Form program now uses the default choices if none specified.
Domain report prints correctly in preformatted output.
Specifying +1 and +V2 doesn't crash the program.
-v reports dates correctly.
Trailing dots on hostnames removed.
Second argument to LOGFILE command can't be obliterated by /../
1.92beta (08-Oct-96)
DNS lookups added on Mac.
Netpresenz format understood on Mac.
New languages: Spanish, Italian and Danish.
Extra information when debugging turned on.
*.htm are now pages on all machines.
A few small bugs fixed.
1.91beta4 (13-Jul-96)
Cache file now includes page request information.
DNS bug fixed.
New command DNSHASHSIZE.
Bug in browser reports fixed.
1.91beta3 (09-Jul-96)
BSD/OS compilation bug believed fixed.
Fixed HOSTALIAS which I broke yesterday.
DNS bug (causing too many lookups) identified, although not yet fixed.
1.91beta2 (08-Jul-96)
Some bug fixes (including: HOSTEXCLUDE and CASE INSENSITIVE didn't work properly; selecting "no links" failed on the form; less fussy about what can appear on the form).
Mac version no longer includes source code, so is much shorter.
1.91beta1 (05-Jul-96)
Now DNS code doesn't look up a name twice, even if one is a failed request.
1.91beta (05-Jul-96)
Will now output in any of several languages.
Preformatted output introduced.
New File Type Report.
Can limit the number of rows in the time reports.
Number of requests for pages (as opposed to raw requests) now calculated throughout.
DNS lookup returns, with cacheing across runs.
Logfiles can include wildcards.
Wildcards can include multiple *'s.
Can process case insensitive logfiles.
OUTPUTALIAS commands introduced.
New commands to specify exactly what is included, and what linked, in the request report and referrer report.
FILEALIAS a a and FILEALIAS a b; FILEALIAS b c now work.
New ALLOW options to cancel INCLUDES.
REPSEPCHAR and DECPOINT introduced.
DIRSUFFIX introduced.
Debugging reports number of corrupt lines in other logs.
Hash sizes can now be allocated at run time.
stdin can now be used for any input file, but not for two.
Macintosh version now quits automatically if no warnings have been issued.
Form interface made more secure.
"Mozilla (compatible)" separated out in Browser Summary.
Major internal changes should improve speed.
Code for non-Unix platforms integrated into main code.
"Referrer" spelled correctly.
Licence introduced.
Update file introduced.
Readme updated to include non-Unix instructions.
(19-Apr-96)
First Mac version.
1.9beta6
Two bug fixes (number of bytes was incorrectly reported in some cases, and -v would overwrite the OUTFILE).
Documentation improved.
1.9beta5
More bug fixes...
1.9beta4
One important bug fix (I broke GRAPHICAL OFF in 1.9beta3).
New form cgi options: ch, gr and ou=3.
Code shortened.
(05-Mar-96)
First DOS version.
1.9beta3
Mainly bug fixes and improved documentation.
Browser and referer reports now include failed requests.
The WARNINGS option can now be specified on the form.
1.9beta2
Small bug fixes
1.9beta (06-Feb-96)
Lots of changes. The most important new features are
What was new in version 1?

What was new in version 1?

This section lists the new features which were in version 1 of analog.
What's new in version 3?
What was new in version 2?
1.2.6
Minor bug fix; will only affect those with corrupt logfiles.
1.2.5
Minor bug fix for weekly report.
1.2.4
Patch for Spyglass server logfile format.
1.2.3
A couple of bug fixes (wild subdomains sometimes caused crashes).
-v option now gives the version number.
1.2.2
Patch for proxy servers: http:// not translated to http:/
1.2 (11-Nov-95)
Can configure columns in reports to give percentage requests and number of bytes.
Wild subdomains (e.g., *.com).
Nameless subdomains.
Subdomains now listed in alphabetical order.
Proper support for numerical hostnames in HOSTIGNORE, HOSTONLY, SUBDOMAIN and alphabetical sorting.
New BASEURL command allowing statistics to be displayed on other servers.
Output always says how things are sorted.
"Last 7 days" now behaves sensibly with TO.
Filenames containing /../, /./ and // translated.
Header and footer options removed from form (for security reasons).
1.1 (02-Oct-95)
Form interface introduced.
ASCII output now possible as well as HTML.
Output file can now be specified in the configuration file.
FROM and TO commands more powerful.
DEBUG and BACKGROUND introduced.
One bug fix: alphabetical sorting doesn't now swap some hostnames.
List of primes included in distribution.
1.0 (12-Sep-95)
Only minor changes since 0.94beta.
0.94beta (30-Aug-95)
New configuration variables SEPCHAR and REPORTORDER.
New configuration commands WITHARGS and WITHOUTARGS.
New commandline options +-A and +-x. (Config.: ALL and GENERAL).
Logfile entries with - as the return code are now regarded as successes, not corrupt entries.
Fixed bugs in host report when aliases or numerical hosts are present.
Documentation rewritten.
0.93beta (27-Jul-95)
Approximate hostname counting now possible in fixed memory.
New configuration commands ISPAGE and ISNOTPAGE.
New commandline option -v.
New configuration command WEEKBEGINSON.
Proper error message when memory exceeded.
Program split into several files.
0.92beta (11-Jul-95)
New reports introduced: hostname, full daily, and weekly.
FROM and TO commands introduced.
Header and footer files introduced.
More helpful warning messages.
Ability to read configuration instructions from stdin.
Subdomain commands moved from domains file to configuration file.
Makefile provided.
0.91beta (04-Jul-95)
Configuration file introduced, enabling many new options.
Some bug fixes and speed improvements.
Ability to print "top n" reports (rather than "everything higher than n").
Request report can print only pages.
Ability to try and resolve numerical addresses.
Now less fussy about the format of the domains file.
Logo added.
Readme converted to HTML.
0.9beta
More speed improvements, and some bug fixes.
Introduced -u option.
Introduced subdomain analysis.
Included "not modified" replies as successes, not redirects.
First public release at 0.9beta3. (29-Jun-95)
0.89beta (21-Jun-95)
Commandline arguments.
Efficiency improvements.
Host count and "last 7 day" statistics.
0.8beta (14-Jun-95)
Initial program, just default options.

Quick reference

This section is list of all of analog's configuration commands, together with a quick reference to their syntax and some examples. It's designed for those who are already familiar with the program, so it's pretty useless for trying to learn the program: to learn about the commands, read the section on Customising analog instead, or consult the index for a reference. I would welcome feedback on this new section.

This section is divided into the following parts:

Notation

The syntax for each command is given using the following notation.
"stuff"        the word stuff
x y            x followed by y
(x | y)        x or y
[x]            optional x
subset("...")  any letters from the string, in any order
perm("...")    all the letters from the string, in any order
*x             x may contain wildcards * and ? (and often comma-separated list)
x := y         x is defined to be y
COMMAND        the command under discussion
In addition, I use the following names for different types of argument.
char           a single character
string         a string
digit          a digit
number         a non-negative integer (i.e. a string of digits)
real           a non-negative real number
file           a filename within your server's filespace;
                   e.g. /index.html
localfile      a filename within your system's filespace;
                   e.g. /usr/local/analog.html
localfmtfile   as localfile, but may contain date codes;
                   e.g. /usr/local/analog%y%M.html
referrer       a URL of a referring page;
                   e.g. http://search.yahoo.com/
URL            a URL which may be absolute, or relative to the output page;
                   e.g. images/ or /~fred/images/
                      or http://www.fred.com/images/

Note: I have occasionally opted for clarity above strict accuracy where I don't think it will cause any confusion!

The syntax for commands in general was given earlier: remember that an argument which contains a hash or a space must be put in quotes or parentheses.

Input and output files

Syntax
LOGFILE (*localfile | "-" | "none") [prefix_string]
OUTFILE (localfmtfile | "-" | "none")
CACHEFILE (*localfile | "-" | "none")
CACHEOUTFILE (localfmtfile | "-" | "none")
UNCOMPRESS *localfile program
Examples
LOGFILE /httpd/logs/*
LOGFILE c:\logs\log1,c:\logs\log2
OUTFILE "Hard Disk:Report%Y%M.html"
UNCOMPRESS *.gz "/usr/bin/gzip -cd"

LOGFORMAT commands

Syntax
format_string := (see documentation)
Apache_format_string := (see Apache documentation)
logformat := ("COMMON" | "COMBINED" | "REFERRER" | "BROWSER" | "EXTENDED" |
              "MICROSOFT-NA" | "MICROSOFT-INT" | "WEBSITE-NA" | "WEBSITE-INT" |
              "MS-EXTENDED" | "MS-COMMON" | "NETSCAPE" | "WEBSTAR" | "AUTO" |
              format_string)
LOGFORMAT logformat
DEFAULTLOGFORMAT logformat
APACHELOGFORMAT Apache_format_string
APACHEDEFAULTLOGFORMAT Apache_format_string
Notes
LOGFORMAT and APACHELOGFORMAT only affect logfiles occurring later in the same configuration file.
Examples
LOGFORMAT (%S - %u [%d/%M/%Y:%h:%n:%j %j] "%j %r %j" %c %b)
DEFAULTLOGFORMAT MS-EXTENDED
APACHELOGFORMAT (%h %l %u %t \"%r\" %s %b)

ALIAS commands

1. Commands (items)
FILEALIAS, HOSTALIAS, BROWALIAS, REFALIAS, USERALIAS, VHOSTALIAS
Syntax
COMMAND *olditem newitem
Notes
Aliases item in all reports. Items with the same resultant name are combined. newitem may contain one * if olditem contains exactly one *.
Example
FILEALIAS /football/* /soccer/*

2. Commands (reports)
TYPEOUTPUTALIAS, HOSTOUTPUTALIAS, REQOUTPUTALIAS, REDIROUTPUTALIAS, FAILOUTPUTALIAS, DIROUTPUTALIAS, DOMOUTPUTALIAS, REFOUTPUTALIAS, REFSITEOUTPUTALIAS, REDIRREFOUTPUTALIAS, FAILREFOUTPUTALIAS, BROWOUTPUTALIAS, FULLBROWOUTPUTALIAS, VHOSTOUTPUTALIAS, USEROUTPUTALIAS, FAILUSEROUTPUTALIAS
Syntax
COMMAND *item string
Notes
Aliases item on one line of one report only. string may contain one * if item contains exactly one *.
Example
REQOUTPUTALIAS /football/ "/football/ (Main football page)"

3. Other commands: syntax
CASE ("SENSITIVE" | "INSENSITIVE")
DIRSUFFIX suffix
LOGTIMEOFFSET ["+" | "-"] number
TIMEOFFSET ["+" | "-"] number
Examples
CASE SENSITIVE
DIRSUFFIX index.htm
LOGTIMEOFFSET -300

INCLUDE/EXCLUDE commands

1. Commands (items)
FILEINCLUDE, FILEEXCLUDE, HOSTINCLUDE, HOSTEXCLUDE, BROWINCLUDE, BROWEXCLUDE, REFINCLUDE, REFEXCLUDE, USERINCLUDE, USEREXCLUDE, VHOSTINCLUDE, VHOSTEXCLUDE
Syntax
COMMAND (*item | "")
Notes
Excludes all logfile entries containing an excluded item from all reports. Includes and excludes are done after aliases, so the item is the aliased name, if applicable.
Examples
FILEINCLUDE /jim/*
HOSTEXCLUDE proxy*.aol.com
USEREXCLUDE ""

2. Syntax (including and excluding dates)
partdate := ["+" | "-"] digit digit
date := partdate partdate partdate [":" partdate partdate]
FROM date
TO date
Examples
FROM 990719:1200
TO -00-0101

3. Commands (reports)
REQINCLUDE, REQEXCLUDE, REDIRINCLUDE, REDIREXCLUDE, FAILINCLUDE, FAILEXCLUDE, TYPEINCLUDE, TYPEEXCLUDE, DIRINCLUDE, DIREXCLUDE, HOSTREPINCLUDE, HOSTREPEXCLUDE, DOMINCLUDE, DOMEXCLUDE, REFREPINCLUDE, REFREPEXCLUDE, REFSITEINCLUDE, REFSITEEXCLUDE, REDIRREFINCLUDE, REDIRREFEXCLUDE, FAILREFINCLUDE, FAILREFEXCLUDE, BROWSUMINCLUDE, BROWSUMEXCLUDE, FULLBROWINCLUDE, FULLBROWEXCLUDE, VHOSTREPINCLUDE, VHOSTREPEXCLUDE, USERREPINCLUDE, USERREPEXCLUDE, FAILUSERINCLUDE, FAILUSEREXCLUDE
Syntax
COMMAND *item
Notes
Excludes an excluded item from one report only. Only affects the top level of hierarchical reports.
Example
REQINCLUDE pages

4. Syntax (miscellaneous)
PAGEINCLUDE *file
PAGEEXCLUDE *file
ARGSINCLUDE *file
ARGSEXCLUDE *file
REFARGSINCLUDE *referrer
REFARGSEXCLUDE *referrer
Example
PAGEINCLUDE *.asp

DNS commands

Syntax
DNSFILE localfile
DNS ("NONE" | "READ" | "LOOKUP" | "WRITE")
DNSLOCKFILE localfile
DNSGOODHOURS number
DNSBADHOURS number
Examples
DNSFILE dnscache.txt
DNS WRITE
DNSBADHOURS 48

Sub-item commands

Syntax
SUBDIR *file
SUBDOMAIN *subdomain
SUBTYPE *extension
SUBBROW *browser
REFDIR *referrer
Examples
SUBDIR /jim/*/*
SUBTYPE *.gz

LOWMEM commands

Commands
FILELOWMEM, HOSTLOWMEM, BROWLOWMEM, REFLOWMEM, USERLOWMEM, VHOSTLOWMEM
Syntax
COMMAND ("0" | "1" | "2" | "3")
Example
HOSTLOWMEM 3

Report commands

Commands
GENERAL, ALL, MONTHLY, WEEKLY, FULLDAILY, DAILY, FULLHOURLY, HOURLY, QUARTER, FIVE, HOST, DOMAIN, REQUEST, DIRECTORY, FILETYPE, SIZE, REDIR, FAILURE, REFERRER, REFSITE, REDIRREF, FAILREF, FULLBROWSER, BROWSER, VHOST, USER, FAILUSER, STATUS
Syntax
REPORTCOMMAND ("ON" | "OFF")
Examples
ALL OFF
FULLHOURLY ON

GRAPH commands

Commands
ALLGRAPH, MONTHGRAPH, WEEKGRAPH, DAYGRAPH, FULLDAYGRAPH, HOURGRAPH, FULLHOURGRAPH, QUARTERGRAPH, FIVEGRAPH
Syntax
COMMAND ("R" | "r" | "P" | "p" | "B" | "b")
Example
ALLGRAPH B

BACK commands

Commands
ALLBACK, MONTHBACK, WEEKBACK, FULLDAYBACK, FULLHOURBACK, QUARTERBACK, FIVEBACK
Syntax
COMMAND ("ON" | "OFF")
Example
ALLBACK ON

ROWS commands

Commands
MONTHROWS, WEEKROWS, FULLDAYROWS, FULLHOURROWS, QUARTERROWS, FIVEROWS
Syntax
COMMAND number
Example
QUARTERROWS 192

COLS commands

1. Commands (time reports)
TIMECOLS, MONTHCOLS, WEEKCOLS, DAYCOLS, FULLDAYCOLS, HOURCOLS, FULLHOURCOLS, QUARTERCOLS, FIVECOLS
Syntax
cols1 := subset("RrPpBb")
COMMAND cols1
Example
MONTHCOLS bRP

2. Commands (most success reports)
HOSTCOLS, DOMCOLS, DIRCOLS, SIZECOLS, REFCOLS, REFSITECOLS, FULLBROWCOLS, BROWCOLS, VHOSTCOLS, USERCOLS
Syntax
cols2 := subset("DRrPpBb")
COMMAND cols2
Example
USERCOLS BD

3. Commands (Request and File Type Reports)
REQCOLS, TYPECOLS
Syntax
cols3 := subset("DRrpBb")
COMMAND cols3
Example
TYPECOLS Rb

4. Commands (failure, redirection and Status Code reports)
REDIRCOLS, FAILCOLS, REDIRREFCOLS, FAILREFCOLS, FAILUSERCOLS, STATUSCOLS
Syntax
cols4 := subset("DRr")
COMMAND cols4
Example
FAILCOLS D

SORTBY commands

1. Commands (most success reports)
HOSTSORTBY, DOMSORTBY, DIRSORTBY, REFSORTBY, REFSITESORTBY, FULLBROWSORTBY, BROWSORTBY, VHOSTSORTBY, USERSORTBY, SUBDIRSORTBY, SUBDOMSORTBY, SUBBROWSORTBY, REFDIRSORTBY, REFARGSSORTBY
Syntax
sortby1 := ("REQUESTS" | "PAGES" | "BYTES" | "DATE" | "ALPHABETICAL" | "RANDOM")
COMMAND sortby1
Example
DOMSORTBY ALPHABETICAL

2. Commands (Request and File Type Reports)
REQSORTBY, TYPESORTBY, REQARGSSORTBY, SUBTYPESORTBY
Syntax
sortby2 := ("REQUESTS" | "BYTES" | "DATE" | "ALPHABETICAL" | "RANDOM")
COMMAND sortby2
Example
REQSORTBY REQUESTS

3. Commands (failure, redirection and Status Code reports)
REDIRSORTBY, FAILSORTBY, REDIRREFSORTBY, FAILREFSORTBY, FAILUSERSORTBY, STATUSSORTBY, REDIRARGSSORTBY, FAILARGSSORTBY, REDIRREFARGSSORTBY, FAILREFARGSSORTBY
Syntax
sortby3 := ("REQUESTS" | "DATE" | "ALPHABETICAL" | "RANDOM")
COMMAND sortby3
Example
FAILSORTBY DATE

FLOOR commands

Commands (top-level)
HOSTFLOOR, DOMFLOOR, REQFLOOR, DIRFLOOR, TYPEFLOOR, REDIRFLOOR, FAILFLOOR, REFFLOOR, REFSITEFLOOR, REDIRREFFLOOR, FAILREFFLOOR, FULLBROWFLOOR, BROWFLOOR, VHOSTFLOOR, USERFLOOR, FAILUSERFLOOR, STATUSFLOOR
Commands (lower levels)
REQARGSFLOOR, REDIRARGSFLOOR, FAILARGSFLOOR, REFARGSFLOOR, REDIRREFARGSFLOOR, FAILREFARGSFLOOR, SUBDIRFLOOR, SUBDOMFLOOR, SUBTYPEFLOOR, SUBBROWFLOOR, REFDIRFLOOR
Syntax
partdate := ["+" | "-"] digit digit
date := partdate partdate partdate [":" partdate partdate]
COMMAND number ("r" | "p")
COMMAND number ["k" | "M" | "G" | "T"] "b"
COMMAND real ("%" | ":") ("r" | "p" | "b")
COMMAND date "d"
COMMAND "-" number ("r" | "p" | "b" | "d")
Notes
Actually, this syntax isn't quite correct. REQARGSFLOOR, TYPEFLOOR, REQARGSFLOOR and SUBTYPEFLOOR aren't allowed to be of type "p"; and REDIRFLOOR, FAILFLOOR, REDIRREFFLOOR, FAILREFFLOOR, FAILUSERFLOOR, STATUSFLOOR, REDIRARGSFLOOR, FAILARGSFLOOR, REDIRREFARGSFLOOR and FAILREFARGSFLOOR aren't allowed to be of types "p" or "b".
Examples
TYPEFLOOR -20r
REQARGSFLOOR 0.1%b

Hyperlinks

Syntax
LINKINCLUDE *file
LINKEXCLUDE *file
REFLINKINCLUDE *referrer
REFLINKEXCLUDE *referrer
BASEURL prefix_string
Examples
LINKINCLUDE pages
REFLINKINCLUDE *.cgi
BASEURL http://www.mycompany.com

Language commands

Syntax
LANGUAGE ("CATALAN" | "CHINESE" | "CZECH" | "DANISH" | "DUTCH" | "ENGLISH" |
          "US-ENGLISH" | "FINNISH" | "FRENCH" | "GERMAN" | "GREEK" |
          "HUNGARIAN" | "ICELANDIC" | "ITALIAN" | "JAPANESE" | "KOREAN" |
          "LATVIAN" | "LITHUANIAN" | "NORWEGIAN" | "NYNORSK" | "POLISH" |
          "PORTUGUESE" | "BR-PORTUGUESE" | "ROMANIAN" | "RUSSIAN" |
          "SERBOCROATIAN" | "SLOVAK" | "SLOVENE" | "SPANISH" | "SWEDISH" |
          "TURKISH")
LANGFILE localfile
DOMAINSFILE localfile
Examples
LANGUAGE ITALIAN
LANGFILE lang/hindi.lng

Cosmetic commands

Syntax

OUTPUT ("HTML" | "ASCII" | "COMPUTER" | "NONE")
GOTOS ("ON" | "OFF")
LASTSEVEN ("ON" | "OFF")
REPORTORDER perm("xcmdDhH45WriSoEItzsfKkuJvbB")
IMAGEDIR URL
NOROBOTS ("ON" | "OFF")
LOGO (URL | "none")
HOSTNAME string
HOSTURL URL
HEADERFILE (localfile | "none")
FOOTERFILE (localfile | "none")
SEPCHAR (char | "none")
REPSEPCHAR (char | "none")
DECPOINT char
COMPSEP string
RAWBYTES ("ON" | "OFF")
PAGEWIDTH number
BARSTYLE ("a" | "b" | "c" | "d" | "e" | "f" | "g" | "h")
MARKCHAR char
MINGRAPHWIDTH number
WEEKBEGINSON ("SUNDAY" | "MONDAY" | "TUESDAY" | "WEDNESDAY" | "THURSDAY" | "FRIDAY" | "SATURDAY")
Examples
Too many to list. See the documentation on each individual command.

Diagnostics

Syntax
DEBUG ("ON" | "OFF" | ["+" | "-"] subset("CDFSU"))
WARNINGS ("ON" | "OFF" | ["+" | "-"] subset("CDEFLMR"))
PROGRESSFREQ number
ERRFILE localfile
Examples
DEBUG ON
DEBUG CF
WARNINGS -DL
PROGRESSFREQ 50000

Index

[ A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z ]

This is the index for this Readme. Follow the numbers after each name to find references to that command or concept. Note that families of commands are indexed under the second part of the name: for example, HOSTEXCLUDE is under *EXCLUDE, not under HOST.

This index includes all of analog's configuration commands: if a command you used in previous versions is not here, see the section on Upgrading from earlier versions. All commands are also listed in the Quick reference with their syntax and examples, and that section is not cross-referenced from this index.

Acknowledgements [1]
Addresses, numerical [1]
*ALIAS [1]
Aliases [1]
ALLBACK [1]
ALLGRAPH [1]
analhead.h [1][2]
analog.cfg [1][2][3][4][5]
Announcements [1]
APACHEDEFAULTLOGFORMAT [1]
APACHELOGFORMAT [1]
ARGSEXCLUDE [1]
*ARGSFLOOR [1]
ARGSINCLUDE [1]
*ARGSSORTBY [1]
*BACK [1]
Bar charts [1]
BARSTYLE [1]
BASEURL [1]
Basic commands [1]
Broken pipe [1][2]
BROW* commands - see under second part of name
BROWSER [1]
Browser Report [1][2][3][4]
Browser Summary [1][2][3]
BROWSUM* commands - see under second part of name
Bugs, reporting [1]
Bytes, how displayed [1]
Cache files [1]
CACHEOUTFILE [1]
CACHEFILE [1]
CASE [1]
CGI program [1]
"Click-thru"s [1]
Colours [1]
*COLS [1][2]
Command line arguments [1][2][3][4]


Compilation problems [1]
Compiling [1]
Compressed logfiles [1]
COMPSEP [1]
Computer-readable output style [1]
CONFIGFILE [1]
Configuration files [1][2][3][4][5]
Configuration file, default [1]
Configuration file, mandatory [1]
Contents [1]
Contributors [1]
Cookies [1]
Corrupt logfile lines, definition [1]
Countries [1]
Crashes [1]
Customising analog [1]
DAILY [1]
Daily Report [1][2][3]
Daily Summary [1][2][3]
Date reports [1][2]
Dates, restricting [1]
DAY* commands - see under second part of name
Debugging [1]
DECPOINT [1]
Default configuration file [1]
Default logfile format [1]
DEFAULTLOGFORMAT [1]
Definitions [1]
DIR* commands - see under second part of name
DIRECTORY [1]
Directory Report [1][2][3][4]
DIRSUFFIX [1]
DNS [1]
DNS lookups [1]
DNSBADHOURS [1]
DNSFILE [1]
DNSGOODHOURS [1]
DNSLOCKFILE [1]
DOM* commands - see under second part of name
DOMAIN [1]
Domain Report [1][2][3][4][5]
Domains file [1]
DOMAINSFILE [1]
ERRFILE [1]
error_log [1][2]
Error Report [1]
Errors [1]
Example reports [1]
Examples of each command [1]
*EXCLUDE [1]
Exclusions [1]
FAIL* commands - see under second part of name
Failed Referrer Report [1][2][3][4]
Failed requests, definition [1]
Failed User Report [1][2][3]
FAILREF [1]
FAILREF* commands - see under second part of name
FAILURE [1]
Failure Report [1][2][3][4]
FAILUSER [1]
FAILUSER* commands - see under second part of name
FAQ [1]
Fatal errors [1]
FILE* commands - see under second part of name
File, definition [1]
File Size Report [1][2][3]
File Type Report [1][2][3][4]
FILETYPE [1]
Filters [1]
First day of week [1]
FIVE [1]
FIVE* commands - see under second part of name
Five-Minute Report [1][2][3]
*FLOOR [1][2][3]
FOOTERFILE [1]
Form interface [1]
Frequently Asked Questions [1]
FROM [1]
FULLBROW* commands - see under second part of name
FULLBROWSER [1]
FULLDAILY [1]
FULLDAY* commands - see under second part of name
FULLHOUR* commands - see under second part of name
FULLHOURLY [1]
GENERAL [1]
General Summary [1][2]
GOTOS [1]
*GRAPH [1]
Graphs [1]
HEADERFILE [1]
Helper applications [1]
Hierarchical reports [1]
Hits [1]
Home page [1]
HOST [1]
HOST* commands - see under second part of name
Host, definition [1]
Host Report [1][2][3]
HOSTNAME [1]
Hostnames, numerical [1]
HOSTREP* commands - see under second part of name
HOSTURL [1]
HOUR* commands - see under second part of name
HOURLY [1]
Hourly Report [1][2][3]
Hourly Summary [1][2][3]
IMAGEDIR [1]
*INCLUDE [1]
Inclusions and exclusions [1]
Introduction [1]
IP addresses [1]
LANGFILE [1]
LANGUAGE [1]
Languages [1][2]
LASTSEVEN [1]
Licence [1][2]
LINKEXCLUDE [1]
LINKINCLUDE [1]
LOGFILE [1]
Logfile formats [1][2]
Logfile prefix [1]
Logfiles [1]
Logfiles, choosing [1]
Logfiles, compressed [1]
Logfiles, finding [1]
LOGFORMAT [1]
LOGO [1]
LOGTIMEOFFSET [1]
Low memory [1]
*LOWMEM [1][2]
Mailing lists [1]
Makefile [1]
Mandatory configuration file [1]
Map [1]
MARKCHAR [1]
Meaning of reports [1]
Memory, using less [1]
MINGRAPHWIDTH [1]
MONTH* commands - see under second part of name
MONTHLY [1]
Monthly Report [1][2][3]
Non-time reports [1][2]
NOROBOTS [1]
Numerical addresses [1]
Numerical hostnames [1]
OUTFILE [1]
OUTPUT [1]
Output aliases [1]
OUTPUT COMPUTER [1][2]
Output, configuring [1]
Output style, computer readable [1]
Output styles [1]
*OUTPUTALIAS [1]
Page, definition [1]
PAGEEXCLUDE [1]
PAGEINCLUDE [1]
Pages, defining [1]
PAGEWIDTH [1]
Path through site [1]
PRINTVARS [1][1]
PROGRESSFREQ [1]
QUARTER [1]
QUARTER* commands - see under second part of name
Quarter-Hour Report [1][2][3]
Quick reference [1]
RAWBYTES [1]
REDIR [1]
REDIR* commands - see under second part of name
Redirected Referrer Report [1][2][3][4]
Redirected requests, definition [1]
Redirection Report [1][2][3][4]
REDIRREF [1]
REDIRREF* commands - see under second part of name
REF* commands - see under second part of name
REFARGSEXCLUDE [1]
REFARGSINCLUDE [1]
REFDIR [1]
Reference, quick [1]
REFERRER [1]
Referrer, definition [1]
Referrer Report [1][2][3][4]
Referring Site Report [1][2][3][4]
REFLINKEXCLUDE [1]
REFLINKINCLUDE [1]
REFREP* commands - see under second part of name
REFSITE [1]
REFSITE* commands - see under second part of name
Report.html [1][2][3]
Reporting bugs [1]
REPORTORDER [1]
Reports, list of [1][2]
REPSEPCHAR [1]
REQ* commands - see under second part of name
REQUEST [1]
Request Report [1][2][3][4]
Requests, definition [1]
Requests for pages, defining [1]
Requests for pages, definition [1]
Requests, types of [1]
Robots, discouraging [1]
*ROWS [1]
Sample reports [1]
Search engines, discouraging [1]
SEPCHAR [1]
SIZE [1]
SIZE* commands - see under second part of name
*SORTBY [1][2][3]
Source code [1]
Spiders, discouraging [1]
Starting to use analog [1]
Starting to use analog on a Mac [1]
Starting to use analog on OS/2 [1]
Starting to use analog on Windows [1]
Starting to use analog on other platforms [1]
STATUS [1]
Status Code Report [1][2][3]
STATUS* commands - see under second part of name
SUBBROW [1]
SUBDIR [1]
Subdirectories [1]
SUBDOMAIN [1]
Subdomains [1]
SUB*FLOOR [1]
SUB*SORTBY [1]
SUBTYPE [1]
Successful requests, definition [1]
Syntax [1][2]
Time reports [1][2]
TIMECOLS [1]
TIMEOFFSET [1]
Times, restricting [1]
Title line [1][2]
TO [1]
Total requests, definition [1]
Translators [1]
Tree reports [1]
TYPE* commands - see under second part of name
UNCOMPRESS [1]
Unresolved numerical addresses [1]
Unwanted logfile entries, definition [1]
Upgrading from earlier versions [1]
USER [1]
USER* commands - see under second part of name
User Report [1][2][3]
USERREP* commands - see under second part of name
VHOST [1]
VHOST* commands - see under second part of name
VHOSTREP* commands - see under second part of name
Virtual domains/virtual hosts [1][2]
Virtual Host Report [1][2][3]
Visitors [1]
Visits [1]
WARNINGS [1]
Warnings [1][2]
WEEK* commands - see under second part of name
WEEKBEGINSON [1]
WEEKLY [1]
Weekly Report [1][2][3]
What was new? [1][2]
What's new? [1][2]
Year 2000 compatibility [1]

[ A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z ]


Stephen Turner
Personal e-mail: analog-author@lists.isite.net
Need help with analog? Subscribe to the analog-help mailing list