2.2.16 Query

The query type specifies an XML document used to select events in the event log by using well-formed XML (as specified in [XML10]) and is defined by the following XSD (as specified in [XMLSCHEMA1.1/2:2008]).

 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema targetNamespace=
   <xs:complexType name="QueryType">
     <xs:choice maxOccurs="unbounded">
       <xs:element name="Select">
         <xs:complexType mixed="true">
           <xs:attribute name="Path" type="xs:anyURI" 
       <xs:element name="Suppress">
         <xs:complexType mixed="true">
           <xs:attribute name="Path" type="xs:anyURI" 
     <xs:attribute name="Id" type="xs:long" use="optional"/>
     <xs:attribute name="Path" type="xs:anyURI" use="optional"/>
   <xs:complexType name="QueryListType">
     <xs:sequence maxOccurs="unbounded">
       <xs:element name="Query" type="QueryType"/>
   <xs:element name="QueryList" type="QueryListType"/>




Lists the query elements. The event query result set contains events matched by any of the query elements.


Defines a set of selectors and suppressors. Query elements are referred to as subqueries.


Defines an event filter for events included in the result set (unless rejected by a suppressor in the same query element), as specified in section 2.2.15.


Defines an event filter for events omitted from the result set (even if the same events were selected by a selector in the same query element), as specified in section 2.2.15.




Defines the ID of a subquery so that a consumer can determine what subquery out of many caused the record to be included in a result set. Multiple subqueries using the same IDs are not distinguished in the result set. For information on subquery IDs, see section 2.2.17.


Specifies either the name of a channel or a path to a backup event log for query elements, selectors, and suppressors. A path specified for the query element applies to the selectors and suppressors it contains that do not specify a path of their own.

If a path begins with file://, it MUST be interpreted as a Uniform Resource Identifier (URI) path to a backup event log file, as specified in [RFC3986], that uses file as a scheme; for example, file://c:/dir1/dir2/file.evt. Otherwise, a path MUST be interpreted as a channel name.