This project has moved and is read-only. For the latest updates, please go here.

Problem getting payload from ETW event

Dec 11, 2012 at 5:33 PM


I need some guidance on getting the args from an event written using EventSource.WriteEvent(int eventId, params object[] args)


On the consumer side (this is in real-time) I'm getting the TraceEvent object from the ETWTraceEventSource.EveryEvent event, but this object doesn't seem to have the params array that was passed as the arguments. I've tried calling PayloadString(0) or PayloadValue(0) but no luck - returns null.

Any help would be much appreciated. Thanks!


Dec 12, 2012 at 3:46 PM

First, confirm that everything is OK with your generation of events by looking at the events in PerfView's Events view as described in this blog entry

Because there are a potentially unbounded number of events that need to be parsed, an important design point for the TraceEvent library is that the TraceEventSource does NOT know how to parse event payloads.  Instead you have to attach one or more parsers to it.  Each parser knows how to parse particular events that that parser knows about.    In the case of EventSources, the 'DynamicTraceEventParser' knows how to decode EventSource data.   You do this by doing

            var source = new EtwTraceEventSource("myETLFile");
	   var parser = new DynamicTraceEventParser(source)
	   parser.All += delegate(TraceEvent data) { Console.WriteLine(data); }

If you use the TraceLog class, has built in knowledge of many common parsers, including the Kernel, CLR and Dynamic (EventSource) parsers.   Thus if you use that class to open ETL files, it will 'just work'.  

The PerfMonitor project has examples of doing things like this (see the 'Listen' command).  

Dec 18, 2012 at 4:52 PM

Thanks, very helpful.