EVT Input Format Parameters
The EVT input format supports the following parameters:
fullText | ||
Values: | ON | OFF | |
Default: | ON | |
Description: | Retrieve the full text message. | |
Details: | This parameter enables/disables the retrieval of Event Log text messages. | |
Example: | -fullText:OFF | |
resolveSIDs | ||
Values: | ON | OFF | |
Default: | OFF | |
Description: | Resolve SID values into full account names. | |
Details: | When set to "ON", this parameter causes the EVT input format to perform an account name lookup for each SID value in the events being parsed, and return the account name instead of the SID alphanumerical value. | |
Example: | -resolveSIDs:ON | |
formatMsg | ||
Values: | ON | OFF | |
Default: | ON | |
Description: | Format the text message as a single line. | |
Details: | Event text messages often span multiple lines. When this
parameter is set to "ON", the EVT input format preserves readability of the
messages by removing carriage-return, line-feed, and multiple space characters from the
message text. When this parameter is set to "OFF", the EVT input format returns the original message text with no intervening post-processing. |
|
Example: | -formatMsg:OFF | |
msgErrorMode | ||
Values: | NULL | ERROR | MSG | |
Default: | MSG | |
Description: | Behavior when event messages or event category names cannot be resolved. | |
Details: | The text of an event log message and the textual
name of its category are stored in binary files
installed with the application that generates the event log.
In some cases, uninstalling the application or reconfiguring the application might cause
the loss of the necessary binary files, thus making it impossible to retrieve
the text data for those events that had been logged prior to the reconfiguration. This parameter specifies the desired behavior for the EVT input format when an event log message text or its category name can not be retrieved. When this parameter is set to "NULL", the "Message" or "EventCategoryName" field value is returned as a NULL value. When set to "ERROR", a parse error is returned. When set to "MSG", a descriptive message is returned for the field, specifying that the text of the message or the category name could not be found. |
|
Example: | -msgErrorMode:NULL | |
fullEventCode | ||
Values: | ON | OFF | |
Default: | OFF | |
Description: | Return the full event ID code instead of the friendly code. | |
Details: | When this parameter is set to "ON", the EVT input format returns the full 32-bit value of the event ID code. When set to "OFF", the EVT input format returns the lower 16-bit value of the code (as displayed by the Event Viewer). | |
Example: | -fullEventCode:ON | |
direction | ||
Values: | FW | BW | |
Default: | FW | |
Description: | Chronological direction in which events are retrieved. | |
Details: | When set to "FW", events are retrieved
from the oldest to the newest. When set to "BW", events are retrieved
from the newest to the oldest. This parameter is especially useful with queries that use the TOP keyword to retrieve the last n logged events. |
|
Example: | -direction:BW | |
stringsSep | ||
Values: | any string | |
Default: | | | |
Description: | Separator between values of the "Strings" field. | |
Details: | The "Strings" field contains an array of text data associated with the event. The value of this field is built by concatenating the array elements one after the other, using the value of this parameter as a separator between the elements. | |
Example: | -stringsSep:, | |
iCheckpoint | ||
Values: | checkpoint filename | |
Default: | not specified | |
Description: | Load and save checkpoint information to this file. | |
Details: | This parameter enables the "Incremental Parsing" feature that allows sequential executions of the same query to only process new events that have been logged since the last execution. For more information, see Parsing Input Incrementally. | |
Example: | -iCheckpoint:C:\Temp\myCheckpoint.lpc | |
binaryFormat | ||
Values: | ASC | PRINT | HEX | |
Default: | HEX | |
Description: | Format of the "Data" binary field. | |
Details: | The "Data" field contains binary data that
is often not suitable to be textually represented. When this parameter is set to "ASC", data bytes belonging to the 0x20-0x7F range are returned as ASCII characters, while data bytes outside the range are returned as period (.) characters, as shown in the following example: Bucket: 02096553..rundll32.exeWhen this parameter is set to "PRINT", data bytes representing printable ASCII characters are returned as ASCII characters, while data bytes that do not represent printable ASCII characters are returned as period (.) characters, as shown in the following example: Bucket: 02096553 rundll32.exeWhen this parameter is set to "HEX", all data bytes are returned as two-digit hexadecimal values, as shown in the following example: 4275636B65743A2030323039363535330D0A72756E646C6C33322E657865 |
|
Example: | -binaryFormat:PRINT | |