ETW Input Format Fields
The structure of the input records generated by the ETW input format is determined at run time, depending on the ETW trace being parsed, and on the value specified for the fMode ("field mode") parameter, which can be set to "Compact", "FNames", "Full", or "Meta".
Compact Field Mode
When the "fMode" parameter is set to "Compact", the ETW input format generates an input record for each event in the trace being parsed.In this mode, input records contain four fields common to all the events, plus an additional "UserData" field containing the values of all the properties specific to the event being processed, concatenated into a single string value using the character specified for the compactModeSep parameter as a separator between the values.
The following table shows the fields of the input records generated in the "Compact" field mode:
| Name | Type | Description |
|---|---|---|
| EventNumber | INTEGER | Index of this event in the trace being parsed |
| EventName | STRING | Name of the event |
| EventTypeName | STRING | Name of the event type |
| Timestamp | TIMESTAMP | Date and time at which the event was traced |
| UserData | STRING | Event-specific property values |
UserData
----------------------------------------------------
DefaultAppPool|0|http://localhost:80/|GET
{00000000-0000-0000-1200-0060000000fc}|/
DefaultAppPool|0|http://localhost:80/default.htm|GET
The "Compact" field mode provides an easily readable way to display the events contained in an ETW trace, but queries operating in this mode can not reference properties of a specific event.
FNames Field Mode
The "FNames" field mode operates similar to the "Compact" field mode, but each property value in the "UserData" field is preceded by the name of the property for better readability.The following example shows some sample "UserData" field values generated in the "FNames" field mode:
UserData
-----------------------------------------------------------------------------------------------
AppPoolId=DefaultAppPool|RawConnId=0|RequestURL=http://localhost:80/|RequestVerb=GET
ContextId={00000000-0000-0000-1200-0060000000fc}|RequestURL=/
AppPoolId=DefaultAppPool|RawConnId=0|RequestURL=http://localhost:80/default.htm|RequestVerb=GET
Full Field Mode
In "Full" field mode, the ETW input format generates an input record for each event in the trace being parsed.In this mode, input records contain a field for each property of each event generated by the providers in the trace being parsed.
When operating in "Full" field mode, the ETW input format works with a
two-stage approach.
During the first stage, the ETW input format examines the input trace to determine which
providers have logged events in the trace being parsed.
When the
providers parameter is left unspecified, the ETW
input format pre-processes a number of events equal to the value specified for the
dtEventsLog or
dtEventsLive parameters, depending on whether or not
the trace being parsed is a trace log file or a live trace session. After parsing these
initial events, the ETW input format assumes that the trace being parsed contains all the
events that can be logged by the providers found among these initial events.
On the other hand, when the "providers" parameter is set to either a
comma-separated list of provider names or GUIDs or to the path to a text file containing a
list of provider names or GUIDs, the ETW input format assumes that the trace being parsed
contains all the events that can be logged by the specified providers.
Once the set of providers logging in the input trace has been identified, the ETW input
format "constructs" the input record structure.
The first 20 input record fields are common to all the events, and they are
described in the following table:
| Name | Type | Description |
|---|---|---|
| TraceName | STRING | Trace file or session name containing this event |
| EventNumber | INTEGER | Index of this event in the trace being parsed |
| Timestamp | TIMESTAMP | Date and time at which the event was traced |
| InstanceID | INTEGER | InstanceID field of this event |
| ParentInstanceID | INTEGER | ParentInstanceID field of this event |
| ParentGUID | STRING | ParentGUID field of this event |
| ProviderDescription | STRING | Name of the provider of this event |
| ProviderGUID | STRING | GUID of the provider of this event |
| EventName | STRING | Name of this event |
| EventDescription | STRING | Description of this event |
| EventVersion | INTEGER | Version of this event |
| EventGUID | STRING | GUID of this event |
| EventType | INTEGER | Type of this event |
| EventTypeName | STRING | Name of this event type |
| EventTypeDescription | STRING | Description of this event type |
| EventTypeLevel | INTEGER | Level of this event type |
| ThreadID | INTEGER | ID of the thread that logged this event |
| ProcessID | INTEGER | ID of the process that logged this event |
| KernelTime | INTEGER | Elapsed execution time for kernel mode instructions, in CPU ticks |
| UserTime | INTEGER | Elapsed execution time for user mode instructions, in CPU ticks |
During the second stage, the ETW input format parses the trace events from beginning to
end, generating an input record for each event.
For any given event, only the first 20 input record fields and the fields corresponding to the event
properties are populated with a value; all the other input record fields corresponding to
properties of other events are set to NULL values.
The following sample output shows selected fields from the input records generated when parsing the previous example in "Full" field mode:
AppPoolId RawConnId ContextId RequestURL RequestVerb
-------------- --------- -------------------------------------- ------------------------------- -----------
DefaultAppPool 0 - http://localhost:80/ GET
- - {00000000-0000-0000-1200-0060000000fc} / -
DefaultAppPool 0 - http://localhost:80/default.htm GET
Queries operating in "Full" mode can refer to individual properties of events, but the input records generated contain too many fields for the results to be eaily redable.
Meta Field Mode
In "Meta" field mode, the ETW input format returns meta-information about events, generating an input record for each property of each event that can be logged by each provider in the trace(s) being parsed. Input records contain meta-data about the event properties, including information about the property type, information about the event containing the property, and information about the provider generating the event.
The "Meta" field mode employs a two-stage parsing schema similar to the "Full"
field mode. During the first stage, the ETW input format pre-processes the input trace to
determine the set of providers that generated events in the trace.
In this mode, however, once the set of providers has been identified, the ETW input format
does not process the trace, but rather returns the event meta-information populating
the input record fields described in the following table:
| Name | Type | Description |
|---|---|---|
| ProviderDescription | STRING | Description of the provider |
| ProviderClassName | STRING | WMI class name of the provider |
| ProviderGUID | STRING | GUID of the provider |
| EventName | STRING | Name of the event |
| EventDescription | STRING | Description of the event |
| EventVersion | INTEGER | Version of the event |
| EventClassName | STRING | WMI class name of the event |
| EventGUID | STRING | GUID of the Event |
| EventType | INTEGER | Type of the event |
| EventTypeName | STRING | Name of the event type |
| EventTypeDescription | STRING | Description of the event type |
| EventTypeClassName | STRING | WMI class name of the event type |
| EventTypeLevel | INTEGER | Level of the event type |
| FieldName | STRING | Name of this event field |
| FieldDescription | STRING | Description of this event field |
| FieldIndex | INTEGER | Index of this field among the event's fields |
| FieldType | STRING | WMI type of this field |