EVT Input Format Parameters

The EVT input format supports the following parameters:

fullText
  Values: ON | OFF
  Default: ON
  Description: Retrieve the full text message.
  Details: This parameter enables/disables the retrieval of Event Log text messages.
  Example: -fullText:OFF
 
resolveSIDs
  Values: ON | OFF
  Default: OFF
  Description: Resolve SID values into full account names.
  Details: When set to "ON", this parameter causes the EVT input format to perform an account name lookup for each SID value in the events being parsed, and return the account name instead of the SID alphanumerical value.
  Example: -resolveSIDs:ON
 
formatMsg
  Values: ON | OFF
  Default: ON
  Description: Format the text message as a single line.
  Details: Event text messages often span multiple lines. When this parameter is set to "ON", the EVT input format preserves readability of the messages by removing carriage-return, line-feed, and multiple space characters from the message text.
When this parameter is set to "OFF", the EVT input format returns the original message text with no intervening post-processing.
  Example: -formatMsg:OFF
 
msgErrorMode
  Values: NULL | ERROR | MSG
  Default: MSG
  Description: Behavior when event messages or event category names cannot be resolved.
  Details: The text of an event log message and the textual name of its category are stored in binary files installed with the application that generates the event log. In some cases, uninstalling the application or reconfiguring the application might cause the loss of the necessary binary files, thus making it impossible to retrieve the text data for those events that had been logged prior to the reconfiguration.
This parameter specifies the desired behavior for the EVT input format when an event log message text or its category name can not be retrieved.
When this parameter is set to "NULL", the "Message" or "EventCategoryName" field value is returned as a NULL value. When set to "ERROR", a parse error is returned. When set to "MSG", a descriptive message is returned for the field, specifying that the text of the message or the category name could not be found.
  Example: -msgErrorMode:NULL
 
fullEventCode
  Values: ON | OFF
  Default: OFF
  Description: Return the full event ID code instead of the friendly code.
  Details: When this parameter is set to "ON", the EVT input format returns the full 32-bit value of the event ID code. When set to "OFF", the EVT input format returns the lower 16-bit value of the code (as displayed by the Event Viewer).
  Example: -fullEventCode:ON
 
direction
  Values: FW | BW
  Default: FW
  Description: Chronological direction in which events are retrieved.
  Details: When set to "FW", events are retrieved from the oldest to the newest. When set to "BW", events are retrieved from the newest to the oldest.
This parameter is especially useful with queries that use the TOP keyword to retrieve the last n logged events.
  Example: -direction:BW
 
stringsSep
  Values: any string
  Default: |
  Description: Separator between values of the "Strings" field.
  Details: The "Strings" field contains an array of text data associated with the event. The value of this field is built by concatenating the array elements one after the other, using the value of this parameter as a separator between the elements.
  Example: -stringsSep:,
 
iCheckpoint
  Values: checkpoint filename
  Default: not specified
  Description: Load and save checkpoint information to this file.
  Details: This parameter enables the "Incremental Parsing" feature that allows sequential executions of the same query to only process new events that have been logged since the last execution. For more information, see Parsing Input Incrementally.
  Example: -iCheckpoint:C:\Temp\myCheckpoint.lpc
 
binaryFormat
  Values: ASC | PRINT | HEX
  Default: HEX
  Description: Format of the "Data" binary field.
  Details: The "Data" field contains binary data that is often not suitable to be textually represented.
When this parameter is set to "ASC", data bytes belonging to the 0x20-0x7F range are returned as ASCII characters, while data bytes outside the range are returned as period (.) characters, as shown in the following example:
Bucket: 02096553..rundll32.exe
When this parameter is set to "PRINT", data bytes representing printable ASCII characters are returned as ASCII characters, while data bytes that do not represent printable ASCII characters are returned as period (.) characters, as shown in the following example:
Bucket: 02096553
rundll32.exe
When this parameter is set to "HEX", all data bytes are returned as two-digit hexadecimal values, as shown in the following example:
4275636B65743A2030323039363535330D0A72756E646C6C33322E657865
  Example: -binaryFormat:PRINT
 

© 2004 Microsoft Corporation. All rights reserved.