Struct ferrisetw::EventRecord
source · #[repr(transparent)]pub struct EventRecord(_);
Expand description
A read-only wrapper over an EVENT_RECORD
Implementations§
source§impl EventRecord
impl EventRecord
sourcepub fn provider_id(&self) -> GUID
pub fn provider_id(&self) -> GUID
The ProviderId
field from the wrapped EVENT_RECORD
sourcepub fn event_flags(&self) -> u16
pub fn event_flags(&self) -> u16
The Flags
field from the wrapped EVENT_RECORD
sourcepub fn process_id(&self) -> u32
pub fn process_id(&self) -> u32
The ProcessId
field from the wrapped EVENT_RECORD
sourcepub fn activity_id(&self) -> GUID
pub fn activity_id(&self) -> GUID
The ActivityId
field from the wrapped EVENT_RECORD
sourcepub fn raw_timestamp(&self) -> i64
pub fn raw_timestamp(&self) -> i64
The TimeStamp
field from the wrapped EVENT_RECORD
As per Microsoft’s documentation:
Contains the time that the event occurred.
The resolution is system time unless theProcessTraceMode member
ofEVENT_TRACE_LOGFILE
contains thePROCESS_TRACE_MODE_RAW_TIMESTAMP
flag, in which case the resolution depends on the value of theWnode.ClientContext
member ofEVENT_TRACE_PROPERTIES
at the time the controller created the session.
Note: the time_rs
Cargo feature enables to convert this into strongly-typed values
sourcepub fn extended_data(&self) -> &[EventHeaderExtendedDataItem]
pub fn extended_data(&self) -> &[EventHeaderExtendedDataItem]
Returns the ExtendedData
from the ETW Event
Their availability is mostly determined by the flags passed to Provider::trace_flags
Example
use windows::Win32::System::Diagnostics::Etw::EVENT_HEADER_EXT_TYPE_RELATED_ACTIVITYID;
let my_callback = |record: &EventRecord, schema_locator: &SchemaLocator| {
let schema = schema_locator.event_schema(record).unwrap();
let activity_id = record
.extended_data()
.iter()
.find(|edata| edata.data_type() as u32 == EVENT_HEADER_EXT_TYPE_RELATED_ACTIVITYID)
.map(|edata| edata.to_extended_data_item());
};