ETW Input Format Fields

The structure of the input records generated by the ETW input format is determined at run time, depending on the ETW trace being parsed, and on the value specified for the fMode ("field mode") parameter, which can be set to "Compact", "FNames", "Full", or "Meta".


Compact Field Mode

When the "fMode" parameter is set to "Compact", the ETW input format generates an input record for each event in the trace being parsed.
In this mode, input records contain four fields common to all the events, plus an additional "UserData" field containing the values of all the properties specific to the event being processed, concatenated into a single string value using the character specified for the compactModeSep parameter as a separator between the values.
The following table shows the fields of the input records generated in the "Compact" field mode:
Name Type Description
EventNumber INTEGER Index of this event in the trace being parsed
EventName STRING Name of the event
EventTypeName STRING Name of the event type
Timestamp TIMESTAMP Date and time at which the event was traced
UserData STRING Event-specific property values
The following example shows some sample "UserData" field values generated in the "Compact" field mode: 
UserData
----------------------------------------------------
DefaultAppPool|0|http://localhost:80/|GET
{00000000-0000-0000-1200-0060000000fc}|/
DefaultAppPool|0|http://localhost:80/default.htm|GET

The "Compact" field mode provides an easily readable way to display the events contained in an ETW trace, but queries operating in this mode can not reference properties of a specific event.


FNames Field Mode

The "FNames" field mode operates similar to the "Compact" field mode, but each property value in the "UserData" field is preceded by the name of the property for better readability.

The following example shows some sample "UserData" field values generated in the "FNames" field mode:

UserData
-----------------------------------------------------------------------------------------------
AppPoolId=DefaultAppPool|RawConnId=0|RequestURL=http://localhost:80/|RequestVerb=GET
ContextId={00000000-0000-0000-1200-0060000000fc}|RequestURL=/
AppPoolId=DefaultAppPool|RawConnId=0|RequestURL=http://localhost:80/default.htm|RequestVerb=GET

Full Field Mode

In "Full" field mode, the ETW input format generates an input record for each event in the trace being parsed.
In this mode, input records contain a field for each property of each event generated by the providers in the trace being parsed.

When operating in "Full" field mode, the ETW input format works with a two-stage approach.
During the first stage, the ETW input format examines the input trace to determine which providers have logged events in the trace being parsed.
When the providers parameter is left unspecified, the ETW input format pre-processes a number of events equal to the value specified for the dtEventsLog or dtEventsLive parameters, depending on whether or not the trace being parsed is a trace log file or a live trace session. After parsing these initial events, the ETW input format assumes that the trace being parsed contains all the events that can be logged by the providers found among these initial events.
On the other hand, when the "providers" parameter is set to either a comma-separated list of provider names or GUIDs or to the path to a text file containing a list of provider names or GUIDs, the ETW input format assumes that the trace being parsed contains all the events that can be logged by the specified providers.

Once the set of providers logging in the input trace has been identified, the ETW input format "constructs" the input record structure.
The first 20 input record fields are common to all the events, and they are described in the following table:

Name Type Description
TraceName STRING Trace file or session name containing this event
EventNumber INTEGER Index of this event in the trace being parsed
Timestamp TIMESTAMP Date and time at which the event was traced
InstanceID INTEGER InstanceID field of this event
ParentInstanceID INTEGER ParentInstanceID field of this event
ParentGUID STRING ParentGUID field of this event
ProviderDescription STRING Name of the provider of this event
ProviderGUID STRING GUID of the provider of this event
EventName STRING Name of this event
EventDescription STRING Description of this event
EventVersion INTEGER Version of this event
EventGUID STRING GUID of this event
EventType INTEGER Type of this event
EventTypeName STRING Name of this event type
EventTypeDescription STRING Description of this event type
EventTypeLevel INTEGER Level of this event type
ThreadID INTEGER ID of the thread that logged this event
ProcessID INTEGER ID of the process that logged this event
KernelTime INTEGER Elapsed execution time for kernel mode instructions, in CPU ticks
UserTime INTEGER Elapsed execution time for user mode instructions, in CPU ticks
These 20 fields are then followed by the union of all the properties of all the events that can be logged by the providers identified during this stage.

During the second stage, the ETW input format parses the trace events from beginning to end, generating an input record for each event.
For any given event, only the first 20 input record fields and the fields corresponding to the event properties are populated with a value; all the other input record fields corresponding to properties of other events are set to NULL values.

The following sample output shows selected fields from the input records generated when parsing the previous example in "Full" field mode:

AppPoolId	RawConnId ContextId							RequestURL					RequestVerb
-------------- --------- -------------------------------------- ------------------------------- -----------
DefaultAppPool 0		 -									http://localhost:80/			GET
-			-		 {00000000-0000-0000-1200-0060000000fc} /							 -
DefaultAppPool 0		 -									http://localhost:80/default.htm GET

Queries operating in "Full" mode can refer to individual properties of events, but the input records generated contain too many fields for the results to be eaily redable.


Meta Field Mode

In "Meta" field mode, the ETW input format returns meta-information about events, generating an input record for each property of each event that can be logged by each provider in the trace(s) being parsed. Input records contain meta-data about the event properties, including information about the property type, information about the event containing the property, and information about the provider generating the event.

The "Meta" field mode employs a two-stage parsing schema similar to the "Full" field mode. During the first stage, the ETW input format pre-processes the input trace to determine the set of providers that generated events in the trace.
In this mode, however, once the set of providers has been identified, the ETW input format does not process the trace, but rather returns the event meta-information populating the input record fields described in the following table:

Name Type Description
ProviderDescription STRING Description of the provider
ProviderClassName STRING WMI class name of the provider
ProviderGUID STRING GUID of the provider
EventName STRING Name of the event
EventDescription STRING Description of the event
EventVersion INTEGER Version of the event
EventClassName STRING WMI class name of the event
EventGUID STRING GUID of the Event
EventType INTEGER Type of the event
EventTypeName STRING Name of the event type
EventTypeDescription STRING Description of the event type
EventTypeClassName STRING WMI class name of the event type
EventTypeLevel INTEGER Level of the event type
FieldName STRING Name of this event field
FieldDescription STRING Description of this event field
FieldIndex INTEGER Index of this field among the event's fields
FieldType STRING WMI type of this field

© 2004 Microsoft Corporation. All rights reserved.