ETW Input Format Parameters
The EVT input format supports the following parameters:
| fMode | ||
| Values: | Full | Compact | FNames | Meta | |
| Default: | FNames | |
| Description: | Operation mode. | |
| Details: | This parameter specifies how the ETW input format
should return the information contained in the trace(s) being parsed. For more information on the different field modes, see ETW Input Format Fields. |
|
| Example: | -fMode:Full | |
| providers | ||
| Values: | filename or comma-separated list of provider names or GUIDs | |
| Default: | not specified | |
| Description: | List of providers for the "Full" or "Meta" field modes. | |
| Details: | This parameter specifies the set of providers logging to the input
trace(s) to allow the "Full" or "Meta" field modes to early detect
the providers to process. The value of this parameter can either by the path to a text
file containing the providers' GUIDs (in the same format accepted by the "pf"
argument of the logman.exe tool), or a comma-separated list of provider names or GUIDs. If this parameter is not specified when the ETW input format operates in "Full" or "Meta" field mode, then the set of providers will be detected by pre-processing the first n events, where n is the value specified for the "dtEventsLog" or "dtEventsLive" parameters. For more information about the different field modes, see ETW Input Format Fields. |
|
| Examples: | -providers:MyProviders.guid | |
| -providers:"IIS: WWW Server,IIS: Active Server Pages (ASP)" | ||
| dtEventsLog | ||
| Values: | number of events (number) | |
| Default: | 3000 | |
| Description: | Number of trace log file events examined to detect the set of providers in "Full" or "Meta" field modes. | |
| Details: | This parameter specifies the number of initial events
that the ETW input format examines to detect the set of providers logging in an input
trace log file when operating in the "Full" or "Meta" field modes. The value of this parameter is only used when the "providers" parameter is left unspecified. For more information about the different field modes, see ETW Input Format Fields. |
|
| Example: | -dtEventsLog:100 | |
| dtEventsLive | ||
| Values: | number of events (number) | |
| Default: | 20 | |
| Description: | Number of live trace session events examined to detect the set of providers in "Full" or "Meta" field modes. | |
| Details: | This parameter specifies the number of initial events
that the ETW input format examines to detect the set of providers logging in an input
live trace session when operating in the "Full" or "Meta" field modes. The value of this parameter is only used when the "providers" parameter is left unspecified. For more information about the different field modes, see ETW Input Format Fields. |
|
| Example: | -dtEventsLive:100 | |
| flushPeriod | ||
| Values: | milliseconds | |
| Default: | 500 | |
| Description: | Number of milliseconds between live trace session flushes. | |
| Details: | When processing a live trace session, the internal buffering mechanisms of the ETW infrastructure might cause events to appear with a noticeable delay. This parameter specifies how often the ETW input format should force a buffer flush to retrieve real-time events. | |
| Example: | -flushPeriod:2000 | |
| ignoreEventTrace | ||
| Values: | ON | OFF | |
| Default: | ON | |
| Description: | Ignore EventTrace events. | |
| Details: | The very first event in any trace session is the
"EventTrace" event, which contains meta-data about the trace session. This parameter specifies whether or not this event should be processed and returned by the ETW input format. |
|
| Example: | -ignoreEventTrace:OFF | |
| compactModeSep | ||
| Values: | any string | |
| Default: | | | |
| Description: | Separator between the values of the "UserData" field in the "Compact" or "FNames" field modes. | |
| Details: | When operating in the "Compact" or "FNames" field modes, the "UserData" field contains all the properties of the event being processed concatenated one after the other, using the value of this parameter as a separator between the elements. | |
| Example: | -compactModeSep:, | |
| expandEnums | ||
| Values: | ON | OFF | |
| Default: | ON | |
| Description: | Expand enumeration event properties. | |
| Details: | Many ETW events contain numeric properties whose values
describe enumerations. This parameter specifies whether or not the numeric values of properties of this type should be expanded to return the text representation of the enumeration values. |
|
| Example: | -expandEnums:OFF | |
| ignoreLostEvents | ||
| Values: | ON | OFF | |
| Default: | ON | |
| Description: | Ignore lost events. | |
| Details: | ETW traces contain information about events that might have
been lost during the tracing session. If this parameter is set to "OFF" and the input trace indicates the presence of lost events, the ETW input format generates a warning when the trace has been completely processed showing the number of events that have been lost. |
|
| Example: | -ignoreLostEvents:OFF | |
| schemaServer | ||
| Values: | computer name | |
| Default: | not specified | |
| Description: | Name of computer with event schema information. | |
| Details: | This parameter specifies the name of the computer
whose WMI repository contains the schema information for the events being parsed. When this parameter is not specified, the ETW input format connects to the computer specified in the from-entity if parsing a trace file from a remote computer, or to the local computer if parsing a local trace file or live tracing session. |
|
| Example: | -schemaServer:MYCOMPUTER02 | |