From ed736147be5770e8150718e7bb6d4a9928c010ee Mon Sep 17 00:00:00 2001 From: georgis Date: Wed, 15 May 2013 16:11:08 -0700 Subject: [PATCH] Fixes for .evtx files exported from EventVwr --- Source/AssemblyInfo.cs | 4 ++-- Source/Tx.LinqPad/SamplesDescription.txt | 10 ++-------- Source/Tx.LinqPad/TypeCache.cs | 3 +++ Source/Tx.Windows/Evtx/EvtxManifestTypeMap.cs | 4 ++-- Source/Tx.Windows/Evtx/EvtxTypeMap.cs | 2 +- 5 files changed, 10 insertions(+), 13 deletions(-) diff --git a/Source/AssemblyInfo.cs b/Source/AssemblyInfo.cs index af8d79c..797d0ed 100644 --- a/Source/AssemblyInfo.cs +++ b/Source/AssemblyInfo.cs @@ -5,5 +5,5 @@ using System.Reflection; [assembly: AssemblyCompany("MS Open Tech")] [assembly: AssemblyProduct("Tx (LINQ to Traces)")] [assembly: AssemblyCopyright("Copyright © MS Open Tech 2012")] -[assembly: AssemblyVersion("1.0.30512.0")] -[assembly: AssemblyFileVersion("1.0.30512.0")] \ No newline at end of file +[assembly: AssemblyVersion("1.0.30515.0")] +[assembly: AssemblyFileVersion("1.0.30515.0")] \ No newline at end of file diff --git a/Source/Tx.LinqPad/SamplesDescription.txt b/Source/Tx.LinqPad/SamplesDescription.txt index 3d0d128..1f92783 100644 --- a/Source/Tx.LinqPad/SamplesDescription.txt +++ b/Source/Tx.LinqPad/SamplesDescription.txt @@ -4,15 +4,9 @@ Download Tx samples
-

-

Tx surfaces event sources such as Event Tracing for Windows (ETW) as IObservable sequences. -This allows using Reactive Extensions (Rx) and LINQ to Objects to perform queries on:

- +

The Tx samples show how to mix Reactive Extensions and LINQ to Objects - to create efficient queries on logs/traces. + to create efficient queries on raw logs/traces, such as ETW, .blg files from PerfMon and Windows Event Logs

For more information, check out the Tx diff --git a/Source/Tx.LinqPad/TypeCache.cs b/Source/Tx.LinqPad/TypeCache.cs index ebd6be3..73ded5c 100644 --- a/Source/Tx.LinqPad/TypeCache.cs +++ b/Source/Tx.LinqPad/TypeCache.cs @@ -91,6 +91,9 @@ namespace Tx.LinqPad } break; + case ".evtx": + break; + default: throw new Exception("Unknown metadata format " + f); } diff --git a/Source/Tx.Windows/Evtx/EvtxManifestTypeMap.cs b/Source/Tx.Windows/Evtx/EvtxManifestTypeMap.cs index 01c2a76..6879d83 100644 --- a/Source/Tx.Windows/Evtx/EvtxManifestTypeMap.cs +++ b/Source/Tx.Windows/Evtx/EvtxManifestTypeMap.cs @@ -21,8 +21,8 @@ namespace Tx.Windows return new ManifestEventPartitionKey { EventId = (ushort) evt.Id, - ProviderId = evt.ProviderId.Value, - Version = evt.Version.Value + ProviderId = evt.ProviderId.HasValue ? evt.ProviderId.Value : Guid.Empty, // looks like in evtx files we can also have name instead of Guid? + Version = evt.Version.HasValue ? evt.Version.Value : (byte) 0 }; } diff --git a/Source/Tx.Windows/Evtx/EvtxTypeMap.cs b/Source/Tx.Windows/Evtx/EvtxTypeMap.cs index 9153252..794c1e1 100644 --- a/Source/Tx.Windows/Evtx/EvtxTypeMap.cs +++ b/Source/Tx.Windows/Evtx/EvtxTypeMap.cs @@ -44,7 +44,7 @@ namespace Tx.Windows EventId = (ushort) e.Id, Keywords = e.Keywords.HasValue ? (ulong) e.Keywords.Value : (ulong) 0, Opcode = e.Opcode.HasValue ? (byte) e.Opcode.Value : (byte) 0, - ProcessId = (uint) e.ProcessId.Value, + ProcessId = e.ProcessId.HasValue ? (uint) e.ProcessId.Value : 0, ProviderId = e.ProviderId.HasValue ? e.ProviderId.Value : Guid.Empty, RelatedActivityId = e.RelatedActivityId.HasValue ? e.RelatedActivityId.Value : Guid.Empty, Task = e.Task.HasValue ? (ushort) e.Task.Value : (ushort) 0,