Struct EventQuery 

pub struct EventQuery { /* private fields */ }

Query result stream for batch iteration with reusable buffers.

Implementations

impl EventQuery

pub fn set_batch_timeout(&mut self, timeout: Duration)

Set timeout used by EvtNext for each batch retrieval call.

pub fn with_event_data(self) -> Self

Enable EventData extraction (opt-in).

When enabled, events will have their data field populated with EventData key-value pairs. Common field names (e.g., “TargetUserName”, “ProcessId”) are automatically interned as Cow::Borrowed(&'static str) for zero-copy access.

pub fn with_message(self) -> Self

Enable message formatting via EvtFormatMessage (opt-in).

When enabled, events will have their formatted_message field populated with the human-readable event message. Publisher metadata is cached for performance.

pub fn set_render_format(&mut self, format: RenderFormat)

Set the rendering format for events (default: Values).

pub fn next_batch(&mut self, out_events: &mut Vec<Event>) -> Result<usize>

Fetch next batch of events into output buffer.

Returns the count of events added to the buffer. When no more events are available, returns 0.

pub fn next_batch_or_cancel( &mut self, out_events: &mut Vec<Event>, cancel: &Wait, ) -> Result<usize>

Fetch the next batch unless a cancel wait object is already signaled.

Returns 0 when cancellation is requested.

pub fn next_batch_with_filter<F>( &mut self, out_events: &mut Vec<Event>, filter: F, ) -> Result<usize>

where F: Fn(&Event) -> bool,

Fetch next batch with filtering applied during enumeration.

The filter function is called for each parsed event; only events where the filter returns true are included.

pub fn next_batch_raw_with_filter<T, F, P>( &mut self, out_events: &mut Vec<T>, converter: F, filter: P, ) -> Result<usize>

where F: FnMut(EVT_HANDLE) -> Result<T>, P: Fn(&T) -> bool,

Process events with a custom converter and filter for each raw event handle.

This allows custom event parsing without allocating the intermediate Event struct. The converter receives the raw EVT_HANDLE and returns a custom type T. The filter is applied after successful conversion.

Example

use windows_erg::evt::{EventLog, types::{extract_event_id, extract_provider}};

#[derive(Debug)]
struct LightweightEvent {
    id: u32,
    provider: String,
}

let log = EventLog::open("Security")?;
let mut query = log.query_stream("*[System[EventID=4624]]")?;
let mut events = Vec::new();

query.next_batch_raw_with_filter(
    &mut events,
    |handle| {
        Ok(LightweightEvent {
            id: extract_event_id(handle)?,
            provider: extract_provider(handle)?,
        })
    },
    |event| event.id == 4624,
)?;

pub fn next_batch_with_results( &mut self, out_events: &mut Vec<Result<Event, CorruptedEvent>>, ) -> Result<usize>

Fetch next batch with explicit corruption handling.

Returns both successfully parsed events (Ok) and corrupted events (Err) in a single vector, preserving event order.

Example

use windows_erg::evt::EventLog;

let log = EventLog::open("System")?;
let mut query = log.query_stream("*")?;
let mut batch = Vec::new();

while query.next_batch_with_results(&mut batch)? > 0 {
    for result in &batch {
        match result {
            Ok(event) => println!("Event: {}", event.id),
            Err(corrupted) => println!("Corrupted: {}", corrupted.reason),
        }
    }
}

Trait Implementations

impl Drop for EventQuery

fn drop(&mut self)

Executes the destructor for this type.