2.2.16 Query

The query type specifies an XML document used to select events in the event log by using well-formed XML (as specified in [XML10]) and is defined by the following XSD (as specified in [XMLSCHEMA2/2]).

 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema targetNamespace=
   "http://schemas.microsoft.com/win/2004/08/events/eventquery"
 elementFormDefault="qualified" 
 xmlns="http://schemas.microsoft.com/win/2004/08/events/eventquery"
 xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <xs:complexType name="QueryType">
     <xs:choice maxOccurs="unbounded">
       <xs:element name="Select">
         <xs:complexType mixed="true">
           <xs:attribute name="Path" type="xs:anyURI" 
            use="optional"/>
         </xs:complexType>
       </xs:element>
       <xs:element name="Suppress">
         <xs:complexType mixed="true">
           <xs:attribute name="Path" type="xs:anyURI" 
             use="optional"/>
         </xs:complexType>
       </xs:element>
     </xs:choice>
     <xs:attribute name="Id" type="xs:long" use="optional"/>
     <xs:attribute name="Path" type="xs:anyURI" use="optional"/>
     <xs:attribute name="Target" type="xs:string" use="optional"/>
 </xs:complexType>
   <xs:complexType name="QueryListType">
     <xs:sequence maxOccurs="unbounded">
       <xs:element name="Query" type="QueryType"/>
     </xs:sequence>
   </xs:complexType>
   <xs:element name="QueryList" type="QueryListType"/>
 </xs:schema>       

Elements	Description
QueryList	Lists the query elements. The event query result set contains events matched by any of the query elements.
Query	Defines a set of selectors and suppressors. Query elements are referred to as subqueries.
Select	Defines an event filter for events included in the result set (unless rejected by a suppressor in the same query element), as specified in section 2.2.15.
Suppress	Defines an event filter for events omitted from the result set (even if the same events were selected by a selector in the same query element), as specified in section 2.2.15.

Attributes	Description
ID	Defines the ID of a subquery so that a consumer can determine what subquery out of many caused the record to be included in a result set. Multiple subqueries using the same IDs are not distinguished in the result set. For information on subquery IDs, see section 2.2.17.
Path	Specifies either the name of a channel or a path to a backup event log for query elements, selectors, and suppressors. A path specified for the query element applies to the selectors and suppressors it contains that do not specify a path of their own. If a path begins with file://, it MUST be interpreted as a Uniform Resource Identifier (URI) path to a backup event log file, as specified in [RFC3986], that uses file as a scheme; for example, file://c:/dir1/dir2/file.evt. Otherwise, a path MUST be interpreted as a channel name.
Target	Specifies whether the query element applies only to events from a container host, only to events from containers hosted on the current computer, or both. The target applies only to live event logs.<6> If the target is “Container”, then the subquery will match only events from Microsoft Windows containers running on the machine that have been configured to forward their events to the container host. If the target is “Host”, then the subquery will not match any events from Windows containers. If the target is “Both”, then the subquery will match events from either the host OS or Windows containers. If not specified or if the target is an unrecognized value, the target will be “Host”.