diff --git a/UDL-samples/Microsoft_Log_Parser_Dark_Mode.pql b/UDL-samples/Microsoft_Log_Parser_Dark_Mode.pql
new file mode 100644
index 0000000..d0842dd
--- /dev/null
+++ b/UDL-samples/Microsoft_Log_Parser_Dark_Mode.pql
@@ -0,0 +1,14 @@
+/* Example 01 - Find Remote Desktop Logons */
+LogParser.exe "SELECT TimeGenerated, EXTRACT_TOKEN(Strings, 5, '|') AS UserName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP, EXTRACT_TOKEN(Strings, 8, '|') AS LogonType FROM 'events.evtx' WHERE EventID = 4624 AND LogonType = '10' ORDER BY TimeGenerated DESC" -i:EVT -o:DATAGRID
+
+/* Example 02 - Parse the IIS log C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log and place the results in C:\Temp\inetsv1.log. */
+LogParser.exe "SELECT c-ip, cs-username, TO_DATE(TO_LOCALTIME(TO_TIMESTAMP(date, time))), TO_TIME(TO_LOCALTIME(TO_TIMESTAMP(date, time))), s-sitename, s-computername, s-ip, time-taken, sc-bytes, cs-bytes, sc-status, sc-win32-status, cs-method, cs-uri-stem, cs-uri-query INTO 'C:\Temp\inetsv1.log' FROM 'C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log'" -i:IISW3C -o:IIS
+
+/* Example 03 - Report the Path, Name, Size, and Attributes of files in the C:\Temp folder and store them in the C:\Temp\Files.tsv file */
+LogParser.exe "SELECT Path, Name, Size, Attributes INTO 'C:\Temp\Files.tsv' FROM 'C:\Temp\*.*'" -i:FS -o:TSV -recurse:0
+
+/* Example 04 - Find the SUM of all executables under C:\windows\system32\*.* */
+LogParser.exe "SELECT SUM(Size) FROM 'C:\windows\system32\*.*' WHERE TO_LOWERCASE(EXTRACT_EXTENSION(Name)) = 'exe'" -i:FS -recurse:0 -o:DATAGRID
+
+/* Example 05 - Report all 4624 logon events and store them in the C:\Temp\Report.xml file. */
+LogParser.exe "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Account INTO 'C:\Temp\Report.xml' FROM Security WHERE EventID IN (4624)" -i:EVT -o:XML
diff --git a/UDL-samples/Microsoft_Log_Parser_Light_Mode.pql b/UDL-samples/Microsoft_Log_Parser_Light_Mode.pql
new file mode 100644
index 0000000..d0842dd
--- /dev/null
+++ b/UDL-samples/Microsoft_Log_Parser_Light_Mode.pql
@@ -0,0 +1,14 @@
+/* Example 01 - Find Remote Desktop Logons */
+LogParser.exe "SELECT TimeGenerated, EXTRACT_TOKEN(Strings, 5, '|') AS UserName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP, EXTRACT_TOKEN(Strings, 8, '|') AS LogonType FROM 'events.evtx' WHERE EventID = 4624 AND LogonType = '10' ORDER BY TimeGenerated DESC" -i:EVT -o:DATAGRID
+
+/* Example 02 - Parse the IIS log C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log and place the results in C:\Temp\inetsv1.log. */
+LogParser.exe "SELECT c-ip, cs-username, TO_DATE(TO_LOCALTIME(TO_TIMESTAMP(date, time))), TO_TIME(TO_LOCALTIME(TO_TIMESTAMP(date, time))), s-sitename, s-computername, s-ip, time-taken, sc-bytes, cs-bytes, sc-status, sc-win32-status, cs-method, cs-uri-stem, cs-uri-query INTO 'C:\Temp\inetsv1.log' FROM 'C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log'" -i:IISW3C -o:IIS
+
+/* Example 03 - Report the Path, Name, Size, and Attributes of files in the C:\Temp folder and store them in the C:\Temp\Files.tsv file */
+LogParser.exe "SELECT Path, Name, Size, Attributes INTO 'C:\Temp\Files.tsv' FROM 'C:\Temp\*.*'" -i:FS -o:TSV -recurse:0
+
+/* Example 04 - Find the SUM of all executables under C:\windows\system32\*.* */
+LogParser.exe "SELECT SUM(Size) FROM 'C:\windows\system32\*.*' WHERE TO_LOWERCASE(EXTRACT_EXTENSION(Name)) = 'exe'" -i:FS -recurse:0 -o:DATAGRID
+
+/* Example 05 - Report all 4624 logon events and store them in the C:\Temp\Report.xml file. */
+LogParser.exe "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Account INTO 'C:\Temp\Report.xml' FROM Security WHERE EventID IN (4624)" -i:EVT -o:XML
diff --git a/UDLs/Microsoft_Log_Parser_Dark_Mode.xml b/UDLs/Microsoft_Log_Parser_Dark_Mode.xml
new file mode 100644
index 0000000..1c4ab55
--- /dev/null
+++ b/UDLs/Microsoft_Log_Parser_Dark_Mode.xml
@@ -0,0 +1,64 @@
+
+
+
+
+
+
+
+ 00-- 01 02 03/* 04*/
+
+
+
+
+
+
+
+ ! % ( ) * + , / : ; < = > ? [ ] ^ { } "
+ != <= <> == >=
+
+
+
+
+
+
+
+
+
+ Ack Attributes BytesReceived BytesRecvd BytesSent CaptureFilename ClientAddress ClientHost ClientIP ClientIpAddress Comment Comments CompanyName ComputerName Connection ConnectionId Cookie CreationTime Data Date DateCreated DateLastAccessed DateLastModified DateTime DstIP DstMAC DstPayload DstPayloadBytes DstPort EndFrame EtherType EventCategory EventCategoryName EventID EventLog EventName EventNumber EventTimestamp EventType EventTypeName Extension FileDescription FileVersion Filename Frame FrameBytes FrameData FrameLength FrameNumber Frames FullPath Host HostName HttpStatus HttpSubStatus IPVersion Index InternalName KeyName LastAccessTime LastWriteTime LegalCopyright LegalTrademarks LogFilename LogRow LogTime Machine Message Method Mode Name ObjectClass ObjectGUID ObjectName ObjectPath Operation OriginalFilename Owner Parameters Path Payload PayloadBytes PrivateBuild ProcessId ProcessingTime ProductName ProductVersion PropertyName PropertyType PropertyValue Protocol ProtocolStatus ProtocolVersion ProviderName RecordNumber Referer RemoteHostName RemoteLogName Request RequestType RowNumber SID STDIN STDOUT Seq ServerAddress ServerIP ServerIpAddress ServerPort Service ServiceInstance ServiceStatus ShortName ShortPath SiteID SiteInstance Size SourceName SpecialBuild SrcIP SrcMAC SrcPayload SrcPayloadBytes SrcPort StartFrame StatusCode Strings SubStatus TCPFlags TTL Target Text Time TimeGenerated TimeTaken TimeWritten Type UriQuery UriStem Url User User-Agent UserData UserIP UserName Value ValueData ValueName ValueType Verb Win32Status Win32StatusCode WindowSize WindowsStatus X-Forwarded-For c-ProtocolVersion c-ip c-port cs cs-FTPDetailed cs-User-Agent cs-bytes cs-cookie cs-host cs-method cs-protocol cs-protocol-version cs-referer cs-uri cs-uri-query cs-uri-stem cs-username cs-version distinguishedName memberOf s-active-procs s-computername s-event s-ip s-kernel-time s-page-faults s-port s-process-type s-queuename s-reason s-siteid s-sitename s-stopped-procs s-total-procs s-user-time sAMAccountName sc-FTPCommand sc-bytes sc-cache-control sc-content-type sc-header sc-status sc-substatus sc-win32-status time-taken title userPrincipalName whenChanged whenCreated win32-status
+ "WITH ROLLUP" ADD AVG BIT_AND BIT_NOT BIT_OR BIT_SHL BIT_SHR BIT_XOR CASE COALESCE COMPUTER_NAME COUNT DIV EXP EXP10 EXTRACT_EXTENSION EXTRACT_FILENAME EXTRACT_PATH EXTRACT_PREFIX EXTRACT_SUFFIX EXTRACT_TOKEN EXTRACT_VALUE FLOOR GROUPING HASHMD5_FILE HASHSEQ HEX_TO_ASC HEX_TO_HEX16 HEX_TO_HEX32 HEX_TO_HEX8 HEX_TO_INT HEX_TO_PRINT INDEX_OF INT_TO_IPV4 IN_ROW_NUMBER IPV4_TO_INT LAST_INDEX_OF LOG LOG10 LTRIM MAX MIN MOD MUL OUT_ROW_NUMBER PROPCOUNT PROPSUM QNTFLOOR_TO_DIGIT QNTROUND_TO_DIGIT QUANTIZE REPLACE_CHR REPLACE_IF_NOT_NULL REPLACE_IF_NULL REPLACE_STR RESOLVE_SID REVERSEDNS ROLLUP ROT13 ROUND RTRIM SEQUENCE SQR SQRROOT STRCAT STRCNT STRLEN STRREPEAT STRREV SUB SUBSTR SUM SYSTEM_DATE SYSTEM_TIME SYSTEM_TIMESTAMP SYSTEM_UTCOFFSET TIMESTAMP TO_DATE TO_HEX TO_INT TO_LOCALTIME TO_LOWERCASE TO_REAL TO_STRING TO_TIME TO_TIMESTAMP TO_UPPERCASE TO_UTCTIME TRIM URLESCAPE URLUNESCAPE WIN32_ERROR_DESCRIPTION
+ "GROUP BY" "IS NOT NULL" "IS NULL" "ORDER BY" ALL AND ANY AS ASC BETWEEN BY DESC DISTINCT ELSE END FALSE FROM HAVING IN INTO JOIN LIKE NOT NULL ON OR SELECT THEN TOP TRUE USING WHEN WHERE
+ ADS BIN CHART COM CSV DATAGRID ETW EVT FS HTTPERR IIS IISODBC IISW3C NAT NCSA NETMON REG SQL SYSLOG TEXTLINE TEXTWORD TPL TSV URLSCAN W3C XML
+ -autoScroll -binaryFormat -c -categories -chartTitle -chartType -clearTable -colSep -comment -compact -compactModeSep -conf -config -consolidateLogs -createTable -dQuotes -database -dirTime -direct -direction -discardOversized -driver -dsn -dtEventsLive -dtEventsLog -dtLines -dtNodes -e -encodeDelim -expandEnums -fMode -fNames -facility -fieldName -file -fileMode -fileType -fixColNames -fixedFields -fixedSep -flushPeriod -formatMsg -fullEventCode -fullText -groupSize -h -headerRow -headers -hostName -i -iCOMParams -iCOMServer -iCheckpoint -iCodepage -iDQuotes -iHeaderFile -iProgID -iSeparator -iTsFormat -ignoreDSErrors -ignoreDspchErrs -ignoreEventTrace -ignoreIdCols -ignoreLostEvents -ignoreMinWarns -iw -legend -lineFilter -locale -maxCategoryLabels -maxPacketSize -maxStrFieldLen -minDateMod -msgErrorMode -multiSZSep -multiValuedSep -nFields -nSep -nSkipLines -noEmptyField -noEmptyFile -o -oCodepage -oConnString -oDQuotes -oDirTime -oSeparator -oTsFormat -objClass -parseBinary -password -processName -protocol -providers -q -queryInfo -rAlign -recurse -resolveSIDs -restoreDefaults -rootName -rootXPath -rowName -rtp -saveDefaults -schemaServer -schemaType -separator -server -severity -sourcePort -spaceCol -standAlone -stats -stringsSep -structure -tabs -tpl -tplFooter -tplHeader -transactionRowCount -username -values -view file
+
+
+
+ 00' 01 02' 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/UDLs/Microsoft_Log_Parser_Light_Mode.xml b/UDLs/Microsoft_Log_Parser_Light_Mode.xml
new file mode 100644
index 0000000..f1a394d
--- /dev/null
+++ b/UDLs/Microsoft_Log_Parser_Light_Mode.xml
@@ -0,0 +1,64 @@
+
+
+
+
+
+
+
+ 00-- 01 02 03/* 04*/
+
+
+
+
+
+
+
+ ! % ( ) * + , / : ; < = > ? [ ] ^ { } "
+ != <= <> == >=
+
+
+
+
+
+
+
+
+
+ Ack Attributes BytesReceived BytesRecvd BytesSent CaptureFilename ClientAddress ClientHost ClientIP ClientIpAddress Comment Comments CompanyName ComputerName Connection ConnectionId Cookie CreationTime Data Date DateCreated DateLastAccessed DateLastModified DateTime DstIP DstMAC DstPayload DstPayloadBytes DstPort EndFrame EtherType EventCategory EventCategoryName EventID EventLog EventName EventNumber EventTimestamp EventType EventTypeName Extension FileDescription FileVersion Filename Frame FrameBytes FrameData FrameLength FrameNumber Frames FullPath Host HostName HttpStatus HttpSubStatus IPVersion Index InternalName KeyName LastAccessTime LastWriteTime LegalCopyright LegalTrademarks LogFilename LogRow LogTime Machine Message Method Mode Name ObjectClass ObjectGUID ObjectName ObjectPath Operation OriginalFilename Owner Parameters Path Payload PayloadBytes PrivateBuild ProcessId ProcessingTime ProductName ProductVersion PropertyName PropertyType PropertyValue Protocol ProtocolStatus ProtocolVersion ProviderName RecordNumber Referer RemoteHostName RemoteLogName Request RequestType RowNumber SID STDIN STDOUT Seq ServerAddress ServerIP ServerIpAddress ServerPort Service ServiceInstance ServiceStatus ShortName ShortPath SiteID SiteInstance Size SourceName SpecialBuild SrcIP SrcMAC SrcPayload SrcPayloadBytes SrcPort StartFrame StatusCode Strings SubStatus TCPFlags TTL Target Text Time TimeGenerated TimeTaken TimeWritten Type UriQuery UriStem Url User User-Agent UserData UserIP UserName Value ValueData ValueName ValueType Verb Win32Status Win32StatusCode WindowSize WindowsStatus X-Forwarded-For c-ProtocolVersion c-ip c-port cs cs-FTPDetailed cs-User-Agent cs-bytes cs-cookie cs-host cs-method cs-protocol cs-protocol-version cs-referer cs-uri cs-uri-query cs-uri-stem cs-username cs-version distinguishedName memberOf s-active-procs s-computername s-event s-ip s-kernel-time s-page-faults s-port s-process-type s-queuename s-reason s-siteid s-sitename s-stopped-procs s-total-procs s-user-time sAMAccountName sc-FTPCommand sc-bytes sc-cache-control sc-content-type sc-header sc-status sc-substatus sc-win32-status time-taken title userPrincipalName whenChanged whenCreated win32-status
+ "WITH ROLLUP" ADD AVG BIT_AND BIT_NOT BIT_OR BIT_SHL BIT_SHR BIT_XOR CASE COALESCE COMPUTER_NAME COUNT DIV EXP EXP10 EXTRACT_EXTENSION EXTRACT_FILENAME EXTRACT_PATH EXTRACT_PREFIX EXTRACT_SUFFIX EXTRACT_TOKEN EXTRACT_VALUE FLOOR GROUPING HASHMD5_FILE HASHSEQ HEX_TO_ASC HEX_TO_HEX16 HEX_TO_HEX32 HEX_TO_HEX8 HEX_TO_INT HEX_TO_PRINT INDEX_OF INT_TO_IPV4 IN_ROW_NUMBER IPV4_TO_INT LAST_INDEX_OF LOG LOG10 LTRIM MAX MIN MOD MUL OUT_ROW_NUMBER PROPCOUNT PROPSUM QNTFLOOR_TO_DIGIT QNTROUND_TO_DIGIT QUANTIZE REPLACE_CHR REPLACE_IF_NOT_NULL REPLACE_IF_NULL REPLACE_STR RESOLVE_SID REVERSEDNS ROLLUP ROT13 ROUND RTRIM SEQUENCE SQR SQRROOT STRCAT STRCNT STRLEN STRREPEAT STRREV SUB SUBSTR SUM SYSTEM_DATE SYSTEM_TIME SYSTEM_TIMESTAMP SYSTEM_UTCOFFSET TIMESTAMP TO_DATE TO_HEX TO_INT TO_LOCALTIME TO_LOWERCASE TO_REAL TO_STRING TO_TIME TO_TIMESTAMP TO_UPPERCASE TO_UTCTIME TRIM URLESCAPE URLUNESCAPE WIN32_ERROR_DESCRIPTION
+ "GROUP BY" "IS NOT NULL" "IS NULL" "ORDER BY" ALL AND ANY AS ASC BETWEEN BY DESC DISTINCT ELSE END FALSE FROM HAVING IN INTO JOIN LIKE NOT NULL ON OR SELECT THEN TOP TRUE USING WHEN WHERE
+ ADS BIN CHART COM CSV DATAGRID ETW EVT FS HTTPERR IIS IISODBC IISW3C NAT NCSA NETMON REG SQL SYSLOG TEXTLINE TEXTWORD TPL TSV URLSCAN W3C XML
+ -autoScroll -binaryFormat -c -categories -chartTitle -chartType -clearTable -colSep -comment -compact -compactModeSep -conf -config -consolidateLogs -createTable -dQuotes -database -dirTime -direct -direction -discardOversized -driver -dsn -dtEventsLive -dtEventsLog -dtLines -dtNodes -e -encodeDelim -expandEnums -fMode -fNames -facility -fieldName -file -fileMode -fileType -fixColNames -fixedFields -fixedSep -flushPeriod -formatMsg -fullEventCode -fullText -groupSize -h -headerRow -headers -hostName -i -iCOMParams -iCOMServer -iCheckpoint -iCodepage -iDQuotes -iHeaderFile -iProgID -iSeparator -iTsFormat -ignoreDSErrors -ignoreDspchErrs -ignoreEventTrace -ignoreIdCols -ignoreLostEvents -ignoreMinWarns -iw -legend -lineFilter -locale -maxCategoryLabels -maxPacketSize -maxStrFieldLen -minDateMod -msgErrorMode -multiSZSep -multiValuedSep -nFields -nSep -nSkipLines -noEmptyField -noEmptyFile -o -oCodepage -oConnString -oDQuotes -oDirTime -oSeparator -oTsFormat -objClass -parseBinary -password -processName -protocol -providers -q -queryInfo -rAlign -recurse -resolveSIDs -restoreDefaults -rootName -rootXPath -rowName -rtp -saveDefaults -schemaServer -schemaType -separator -server -severity -sourcePort -spaceCol -standAlone -stats -stringsSep -structure -tabs -tpl -tplFooter -tplHeader -transactionRowCount -username -values -view file
+
+
+
+ 00' 01 02' 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/udl-list.json b/udl-list.json
index 42cbfd7..4bea527 100644
--- a/udl-list.json
+++ b/udl-list.json
@@ -3913,6 +3913,24 @@
"author": "Michael Cessna",
"autoCompletion": "Splunk SPL (Dark Mode)",
"autoCompletionAuthor": "generate_ac.py"
+ },
+ {
+ "id-name": "Microsoft_Log_Parser_Light_Mode",
+ "display-name": "Microsoft Log Parser (Light Mode)",
+ "version": "v1.00",
+ "sample": "Microsoft_Log_Parser_Light_Mode.pql",
+ "repository": "",
+ "description": "Microsoft Log Parser 2.2 Query Language (Light Mode)",
+ "author": "Michael Cessna"
+ },
+ {
+ "id-name": "Microsoft_Log_Parser_Dark_Mode",
+ "display-name": "Microsoft Log Parser (Dark Mode)",
+ "version": "v1.00",
+ "sample": "Microsoft_Log_Parser_Dark_Mode.pql",
+ "repository": "",
+ "description": "Microsoft Log Parser 2.2 Query Language (Dark Mode)",
+ "author": "Michael Cessna"
}
]
}
\ No newline at end of file