The EVT input format supports the following parameters:
| fMode | ||
| Values: | Full | Compact | FNames | Meta | |
| Default: | FNames | |
| Description: | Operation mode. | |
| Details: | This parameter specifies how the ETW
input format should return the information contained in the
trace(s) being parsed. For more information on the different field modes, see ETW Input Format Fields. |
|
| Example: | -fMode:Full | |
| providers | ||
| Values: | filename or comma-separated list of provider names or GUIDs | |
| Default: | not specified | |
| Description: | List of providers for the "Full" or "Meta" field modes. | |
| Details: | This parameter specifies the set of
providers logging to the input trace(s) to allow the "Full" or
"Meta" field modes to early detect the providers to process. The
value of this parameter can either by the path to a text file
containing the providers' GUIDs (in the same format accepted by the
"pf" argument of the logman.exe tool), or a comma-separated list of
provider names or GUIDs. If this parameter is not specified when the ETW input format operates in "Full" or "Meta" field mode, then the set of providers will be detected by pre-processing the first n events, where n is the value specified for the "dtEventsLog" or "dtEventsLive" parameters. For more information about the different field modes, see ETW Input Format Fields. |
|
| Examples: | -providers:MyProviders.guid | |
| -providers:"IIS: WWW Server,IIS: Active Server Pages (ASP)" | ||
| dtEventsLog | ||
| Values: | number of events (number) | |
| Default: | 3000 | |
| Description: | Number of trace log file events examined to detect the set of providers in "Full" or "Meta" field modes. | |
| Details: | This parameter specifies the number
of initial events that the ETW input format examines to detect the
set of providers logging in an input trace log file when operating
in the "Full" or "Meta" field modes. The value of this parameter is only used when the "providers" parameter is left unspecified. For more information about the different field modes, see ETW Input Format Fields. |
|
| Example: | -dtEventsLog:100 | |
| dtEventsLive | ||
| Values: | number of events (number) | |
| Default: | 20 | |
| Description: | Number of live trace session events examined to detect the set of providers in "Full" or "Meta" field modes. | |
| Details: | This parameter specifies the number
of initial events that the ETW input format examines to detect the
set of providers logging in an input live trace session when
operating in the "Full" or "Meta" field modes. The value of this parameter is only used when the "providers" parameter is left unspecified. For more information about the different field modes, see ETW Input Format Fields. |
|
| Example: | -dtEventsLive:100 | |
| flushPeriod | ||
| Values: | milliseconds | |
| Default: | 500 | |
| Description: | Number of milliseconds between live trace session flushes. | |
| Details: | When processing a live trace session, the internal buffering mechanisms of the ETW infrastructure might cause events to appear with a noticeable delay. This parameter specifies how often the ETW input format should force a buffer flush to retrieve real-time events. | |
| Example: | -flushPeriod:2000 | |
| ignoreEventTrace | ||
| Values: | ON | OFF | |
| Default: | ON | |
| Description: | Ignore EventTrace events. | |
| Details: | The very first event in any trace
session is the "EventTrace" event, which contains meta-data about
the trace session. This parameter specifies whether or not this event should be processed and returned by the ETW input format. |
|
| Example: | -ignoreEventTrace:OFF | |
| compactModeSep | ||
| Values: | any string | |
| Default: | | | |
| Description: | Separator between the values of the "UserData" field in the "Compact" or "FNames" field modes. | |
| Details: | When operating in the "Compact" or "FNames" field modes, the "UserData" field contains all the properties of the event being processed concatenated one after the other, using the value of this parameter as a separator between the elements. | |
| Example: | -compactModeSep:, | |
| expandEnums | ||
| Values: | ON | OFF | |
| Default: | ON | |
| Description: | Expand enumeration event properties. | |
| Details: | Many ETW events contain numeric
properties whose values describe enumerations. This parameter specifies whether or not the numeric values of properties of this type should be expanded to return the text representation of the enumeration values. |
|
| Example: | -expandEnums:OFF | |
| ignoreLostEvents | ||
| Values: | ON | OFF | |
| Default: | ON | |
| Description: | Ignore lost events. | |
| Details: | ETW traces contain information about
events that might have been lost during the tracing session. If this parameter is set to "OFF" and the input trace indicates the presence of lost events, the ETW input format generates a warning when the trace has been completely processed showing the number of events that have been lost. |
|
| Example: | -ignoreLostEvents:OFF | |
| schemaServer | ||
| Values: | computer name | |
| Default: | not specified | |
| Description: | Name of computer with event schema information. | |
| Details: | This parameter specifies the name of
the computer whose WMI repository contains the schema information
for the events being parsed. When this parameter is not specified, the ETW input format connects to the computer specified in the from-entity if parsing a trace file from a remote computer, or to the local computer if parsing a local trace file or live tracing session. |
|
| Example: | -schemaServer:MYCOMPUTER02 | |
© 2004 Microsoft Corporation. All rights reserved.