2.2.16 Query

The query type specifies an XML document used to select events in the event log by using well-formed XML (as specified in [XML10]) and is defined by the following XSD (as specified in [XMLSCHEMA1.1/2:2008]).

 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema targetNamespace=
   "http://schemas.microsoft.com/win/2004/08/events/eventquery"
 elementFormDefault="qualified" 
 xmlns="http://schemas.microsoft.com/win/2004/08/events/eventquery"
 xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <xs:complexType name="QueryType">
     <xs:choice maxOccurs="unbounded">
       <xs:element name="Select">
         <xs:complexType mixed="true">
           <xs:attribute name="Path" type="xs:anyURI" 
            use="optional"/>
         </xs:complexType>
       </xs:element>
       <xs:element name="Suppress">
         <xs:complexType mixed="true">
           <xs:attribute name="Path" type="xs:anyURI" 
             use="optional"/>
         </xs:complexType>
       </xs:element>
     </xs:choice>
     <xs:attribute name="Id" type="xs:long" use="optional"/>
     <xs:attribute name="Path" type="xs:anyURI" use="optional"/>
   </xs:complexType>
   <xs:complexType name="QueryListType">
     <xs:sequence maxOccurs="unbounded">
       <xs:element name="Query" type="QueryType"/>
     </xs:sequence>
   </xs:complexType>
   <xs:element name="QueryList" type="QueryListType"/>
 </xs:schema>
           

Elements

Description

QueryList

Lists the query elements. The event query result set contains events matched by any of the query elements.

Query

Defines a set of selectors and suppressors. Query elements are referred to as subqueries.

Select

Defines an event filter for events included in the result set (unless rejected by a suppressor in the same query element), as specified in section 2.2.15.

Suppress

Defines an event filter for events omitted from the result set (even if the same events were selected by a selector in the same query element), as specified in section 2.2.15.

Attributes

Description

ID

Defines the ID of a subquery so that a consumer can determine what subquery out of many caused the record to be included in a result set. Multiple subqueries using the same IDs are not distinguished in the result set. For information on subquery IDs, see section 2.2.17.

Path

Specifies either the name of a channel or a path to a backup event log for query elements, selectors, and suppressors. A path specified for the query element applies to the selectors and suppressors it contains that do not specify a path of their own.

If a path begins with file://, it MUST be interpreted as a Uniform Resource Identifier (URI) path to a backup event log file, as specified in [RFC3986], that uses file as a scheme; for example, file://c:/dir1/dir2/file.evt. Otherwise, a path MUST be interpreted as a channel name.

Show: