private static void SetupContext()
{
_playback = new Playback();
_playback.AddEtlFiles(ConfigurationConstants.HttpServerTrace);
_all = _playback.GetObservable<Parse>();
_result = new RequestResult<List<Parse>> { Data = new List<Parse>() };
}
internal static Playback GetCurrentEtlScope(IEnumerable<string> etlfiles, bool isRealtime)
{
try
{
if ((etlfiles == null || etlfiles.Count() == 0))
{
return null;
}
Playback scope = new Playback();
foreach (var file in etlfiles)
{
if (isRealtime)
{
scope.AddRealTimeSession(file);
}
else
{
scope.AddEtlFiles(file);
}
}
return scope;
}
catch (Exception)
{
throw new Exception("Please try loading the ETL files since the Playback cannot be created.");
}
}
static void Main(string[] args)
{
_listener.Prefixes.Add("http://" + Environment.MachineName + ":9000/");
_listener.Start();
Console.WriteLine("Listening ...");
while (true)
{
HttpListenerContext context = _listener.GetContext();
_request = context.Request;
HttpListenerResponse response = context.Response;
_sb = new StringBuilder("<HTML>\n<HEAD>\n<TITLE>");
_sb.Append("Trace 2 Html");
_sb.Append("</TITLE>\n</HEAD>\n<BODY>\n");
_sb.Append("<pre style=\"font-family:Consolas; font-size: 10pt; width: 5000px;\">");
_playback = new Playback();
_playback.AddEtlFiles(LocalTrace);
_all = _playback.GetObservable<TracedEvent>();
if (_request.QueryString["process"] != null)
{
_processFilter = _request.QueryString["process"];
_all = _all.Where(e => e.Message.StartsWith(_processFilter));
}
else
{
_processFilter = null;
}
if (_request.QueryString["after"] != null)
{
var after = int.Parse(_request.QueryString.Get("after"));
AllHistory(after);
}
else if (_request.QueryString["afterReceive"] != null)
{
string messageId = _request.QueryString.Get("afterReceive");
AfterReceive(messageId);
}
else if (_request.QueryString["beforeSend"] != null)
{
string messageId = _request.QueryString.Get("beforeSend");
BeforeSend(messageId);
}
else
{
AllHistory(0);
}
_sb.Append("</BODY></HTML>");
byte[] buffer = Encoding.UTF8.GetBytes(_sb.ToString());
response.ContentLength64 = buffer.Length;
response.OutputStream.Write(buffer, 0, buffer.Length);
response.OutputStream.Close();
_playback.Dispose();
}
}
private static void SetupContext()
{
_playback = new Playback();
_playback.AddEtlFiles(ConfigurationConstants.HttpServerTrace);
_all = _playback.GetObservable <Parse>();
_result = new RequestResult <List <Parse> > {
Data = new List <Parse>()
};
}
public void PlayOne()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int count = 0;
p.GetObservable<Parse>().Subscribe(e => { count++; });
p.Run();
Assert.AreEqual(291, count);
}
public IObservable <EtwNativeEvent> GetRawEventsForTimeWindow()
{
Playback scope = new Playback();
foreach (var item in this.files)
{
scope.AddEtlFiles(item);
}
return(EtwObservable.FromFiles(this.files.ToArray()));
}
static void Main()
{
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
IObservable <Deliver> startEvents = playback.GetObservable <Deliver>();
IObservable <FastResp> endEvents = playback.GetObservable <FastResp>();
var requests = from start in startEvents
from end in endEvents
.Where(e => start.Header.ActivityId == e.Header.ActivityId)
.Take(TimeSpan.FromSeconds(1), playback.Scheduler) // <-- Playback virtual time!
.Take(1)
select new
{
start.Url,
end.StatusCode,
Duration = end.Header.Timestamp - start.Header.Timestamp
};
var statistics = from window in requests.Window(TimeSpan.FromSeconds(5), playback.Scheduler)
from stats in
( // calculate statistics within one window
from request in window
group request by new
{
Milliseconds = Math.Ceiling(request.Duration.TotalMilliseconds * 10) / 10,
request.Url
} into g
from Count in g.Count()
select new
{
g.Key.Url,
g.Key.Milliseconds,
Count
})
.ToList()
select stats;
IDisposable d = statistics.Subscribe(b =>
{
Console.WriteLine("--------------------------");
foreach (var s in b.OrderBy(s => s.Milliseconds)) // <-- LINQ to Objects!
{
Console.WriteLine(s);
}
});
playback.Run();
Console.ReadLine();
d.Dispose();
}
public void PlayRoot()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int count = 0;
p.GetObservable<SystemEvent>().Subscribe(e => { count++; });
p.Run();
Assert.AreEqual(2041, count);
}
static void Main()
{
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
IObservable<Deliver> startEvents = playback.GetObservable<Deliver>();
IObservable<FastResp> endEvents = playback.GetObservable<FastResp>();
var requests = from start in startEvents
from end in endEvents
.Where(e => start.Header.ActivityId == e.Header.ActivityId)
.Take(TimeSpan.FromSeconds(1), playback.Scheduler) // <-- Playback virtual time!
.Take(1)
select new
{
start.Url,
end.StatusCode,
Duration = end.Header.Timestamp - start.Header.Timestamp
};
var statistics = from window in requests.Window(TimeSpan.FromSeconds(5), playback.Scheduler)
from stats in
( // calculate statistics within one window
from request in window
group request by new
{
Milliseconds = Math.Ceiling(request.Duration.TotalMilliseconds * 10) / 10,
request.Url
} into g
from Count in g.Count()
select new
{
g.Key.Url,
g.Key.Milliseconds,
Count
})
.ToList()
select stats;
IDisposable d = statistics.Subscribe(b =>
{
Console.WriteLine("--------------------------");
foreach (var s in b.OrderBy(s => s.Milliseconds)) // <-- LINQ to Objects!
{
Console.WriteLine(s);
}
});
playback.Run();
Console.ReadLine();
d.Dispose();
}
static void Main()
{
Playback playback = new Playback();
playback.AddEtlFiles(@"..\..\..\HTTP_Server.etl");
playback.AddLogFiles(@"..\..\..\HTTP_Server.evtx");
IObservable<SystemEvent> all = playback.GetObservable<SystemEvent>();
all.Count().Subscribe(Console.WriteLine);
playback.Run();
}
public void PlayRoot()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int count = 0;
p.GetObservable <SystemEvent>().Subscribe(e => { count++; });
p.Run();
Assert.AreEqual(2041, count);
}
static void VirtualTime()
{
// This sample illustrates the concept of Virtual Time, constructed as per timestamps of the events in the file
Console.WriteLine("----- VirtualTime -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.GetObservable<Parse>().Subscribe(p => Console.WriteLine("{0} {1}",
playback.Scheduler.Now.DateTime, p.Url));
playback.Run();
}
public void PlayOne()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int count = 0;
p.GetObservable <Parse>().Subscribe(e => { count++; });
p.Run();
Assert.AreEqual(291, count);
}
static void Format2()
{
// This sample shows how to subscribe to format just two event types of events
Console.WriteLine("----- Format2 -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.GetObservable <Parse>().Subscribe(Console.WriteLine); // Implicit ToString()
playback.GetObservable <FastSend>().Subscribe(Console.WriteLine); // Implicit ToString()
playback.Run();
}
public void HTTP_SinglePass()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var begin = pb.GetObservable <Parse>();
var end = pb.GetObservable <FastSend>();
var requests = from b in begin
from e in end.Where(e => e.Header.ActivityId == b.Header.ActivityId).Take(1)
select new
{
b.Header.ActivityId,
b.Url,
e.HttpStatus,
Duration = e.Header.Timestamp - b.Header.Timestamp
};
var statistics = from r in requests
group r by new
{
Milliseconds = Math.Ceiling(r.Duration.TotalMilliseconds * 10) / 10,
Url = r.Url
} into groups
from c in groups.Count()
select new
{
groups.Key.Url,
groups.Key.Milliseconds,
Count = c
};
var slow = from r in requests
where r.Duration.TotalMilliseconds > 0.5
select r;
var slowList = new List <object>();
slow.Subscribe(s => slowList.Add(s));
var statisticsList = new List <object>();
statistics.Subscribe(s => statisticsList.Add(s));
pb.Run();
Assert.AreEqual(7, statisticsList.Count());
Assert.AreEqual(2, slowList.Count());
}
public void PlayRootAndKnownType()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int count = 0;
p.GetObservable<SystemEvent>().Subscribe(e => { count++; });
int parseCount = 0;
p.GetObservable<Deliver>().Subscribe(e => { parseCount++; });
p.Run();
Assert.AreEqual(2041, count);
Assert.AreEqual(291, parseCount);
}
static void VirtualTime()
{
// This sample illustrates the concept of Virtual Time, constructed as per timestamps of the events in the file
Console.WriteLine("----- VirtualTime -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.GetObservable <Parse>().Subscribe(p => Console.WriteLine("{0} {1}",
playback.Scheduler.Now.DateTime, p.Url));
playback.Run();
}
public void PlayTwo()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int parseCount = 0;
int fastSendCount = 0;
p.GetObservable<Deliver>().Subscribe(e => { parseCount++; });
p.GetObservable<FastResp>().Subscribe(e => { fastSendCount++; });
p.Run();
Assert.AreEqual(291, parseCount);
Assert.AreEqual(289, fastSendCount);
}
public void PlayTwoBothEtlAndEvtx()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
p.AddLogFiles(EvtxFileName);
int parseCount = 0;
int fastSendCount = 0;
p.GetObservable<Deliver>().Subscribe(e => { parseCount++; });
p.GetObservable<FastResp>().Subscribe(e => { fastSendCount++; });
p.Run();
Assert.AreEqual(581, parseCount); // there seems to be one event that was lost in the etl->evt conversion...
Assert.AreEqual(579, fastSendCount); // and one more event here...
}
static void CountAll()
{
// Subscribing to SystemEvent means "all ETW events"
Console.WriteLine("----- CountAll -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
var all = playback.GetObservable <SystemEvent>();
all.Count().Subscribe(Console.WriteLine);
playback.Run();
}
public void HTTP_Parse_Format()
{
string msg = "";
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var parsed = pb.GetObservable <Parse>().Take(1);
parsed.Subscribe(p => msg = p.ToString());
pb.Run();
Assert.AreEqual(msg, "Parsed request (request pointer 18446738026454074672, method 4) with URI http://georgis2:80/windir.txt");
}
static void Main()
{
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.AddLogFiles(@"HTTP_Server.evtx");
IObservable <SystemEvent> all = playback.GetObservable <SystemEvent>();
using (all.Count().Subscribe(Console.WriteLine))
{
playback.Run();
Console.ReadLine();
}
}
public void PlayTwo()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int parseCount = 0;
int fastSendCount = 0;
p.GetObservable <Deliver>().Subscribe(e => { parseCount++; });
p.GetObservable <FastResp>().Subscribe(e => { fastSendCount++; });
p.Run();
Assert.AreEqual(291, parseCount);
Assert.AreEqual(289, fastSendCount);
}
static void CountAllTwoFiles()
{
// The file HTTP_Server.evtx is Windows Event Log, obtained by converting HTTP_Server.etl
// It contains the same exact events, so let's count total # of events in the two files
Console.WriteLine("----- CountAllTwoFiles -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.AddLogFiles(@"HTTP_Server.evtx");
var all = playback.GetObservable <SystemEvent>();
all.Count().Subscribe(Console.WriteLine);
playback.Run();
}
static void Count2And12()
{
// This sample shows how to use SystemEvent to obtain the same result as in Count2
// by using SystemEvent instead of generated classes (2 is Parse, 12 is FastSend)
Console.WriteLine("----- Count2And12 -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
var filtered = playback.GetObservable <SystemEvent>()
.Where(e => e.Header.EventId == 2 || e.Header.EventId == 12);
filtered.Count().Subscribe(Console.WriteLine);
playback.Run();
}
public void HTTP_FastSend()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var parsed = from s in pb.GetObservable<FastSend>()
select new
{
s.Header.ActivityId,
s.HttpStatus
};
int count = 0;
parsed.Count().Subscribe(c => count = c);
pb.Run();
Assert.AreEqual(289, count);
}
public void PlayTwoBothEtlAndEvtx()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
p.AddLogFiles(EvtxFileName);
int parseCount = 0;
int fastSendCount = 0;
p.GetObservable <Deliver>().Subscribe(e => { parseCount++; });
p.GetObservable <FastResp>().Subscribe(e => { fastSendCount++; });
p.Run();
Assert.AreEqual(582, parseCount);
Assert.AreEqual(578, fastSendCount);
}
public void HTTP_Parse()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var parsed = from p in pb.GetObservable<Parse>()
select new
{
p.Header.ActivityId,
p.Url
};
int count = 0;
parsed.Count().Subscribe(c => count = c);
pb.Run();
Assert.AreEqual(291, count);
}
public void PlayRootAndKnownType()
{
var p = new Playback();
p.AddEtlFiles(EtlFileName);
int count = 0;
p.GetObservable <SystemEvent>().Subscribe(e => { count++; });
int parseCount = 0;
p.GetObservable <Deliver>().Subscribe(e => { parseCount++; });
p.Run();
Assert.AreEqual(2041 + 291, count);
Assert.AreEqual(291, parseCount);
}
public void HTTP_Parse_Format()
{
string msg = null;
using (var playback = new Playback())
{
playback.AddEtlFiles(EtlFileName);
var parsed = playback.GetObservable <Parse>().Take(1);
using (parsed.Subscribe(p => msg = p.ToString()))
{
playback.Run();
}
}
Assert.AreEqual("Parsed request (request pointer 18446738026454074672, method 4) with URI http://georgis2:80/windir.txt", msg);
}
public void ProcessStopTest()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var stop = from p in pb.GetObservable<ProcessStop>() // this is V1 event
select new
{
p.ProcessID,
p.ImageName
};
int count = 0;
stop.Count().Subscribe(c => count = c);
pb.Run();
Assert.AreEqual(4, count);
}
static void GetObservable()
{
// This sample illustrates parsing single input file and transforming only the events that are of interest
Console.WriteLine("----- GetObservable -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.GetObservable<Parse>().Subscribe(p => Console.WriteLine(p.Url));
playback.Run();
//Here:
// - HTTP_Server.etl is trace from HTTP.sys (the bottom layer of IIS)
// - The type Parse was generated from the ETW manifest description of the first event IIS traces for each request (EventId = 2)
// - Subscribe just wires-up the processing of Parse events, and nothing shows on the console yet.
// Reading the file happens within Run().
}
static void Main()
{
Playback playback = new Playback();
playback.AddEtlFiles(@"..\..\..\HTTP_Server.etl");
playback.AddLogFiles(@"..\..\..\HTTP_Server.evtx");
IObservable<SystemEvent> all = playback.GetObservable<SystemEvent>();
var counts = from window in all.Window(TimeSpan.FromSeconds(5), playback.Scheduler)
from Count in window.Count()
select Count;
var withTime = counts.Timestamp(playback.Scheduler);
withTime.Subscribe(ts => Console.WriteLine("{0} {1}", ts.Timestamp, ts.Value));
playback.Run();
}
static void FormatAll()
{
// This sample shows how to format all events, similar to existing tools like TraceVwr, TraceFmt, etc.
// Formatting means ignoring types and displaying human-readable text in order of occurence
Console.WriteLine("----- Formatting -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.KnownTypes = typeof(Parse).Assembly.GetTypes();
var all = playback.GetObservable <SystemEvent>()
.Select(e => e.ToString());
all.Subscribe(Console.WriteLine);
playback.Run();
}
static void Get2Observables()
{
// This sample shows how to subscribe to two types of events, and process the occurences (=instances) reading the file once
Console.WriteLine("----- Get2Observables -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.GetObservable<Parse>().Subscribe(p => Console.WriteLine("begin {0} {1}", p.Header.ActivityId, p.Url));
playback.GetObservable<FastSend>().Subscribe(fs => Console.WriteLine("end {0} {1}", fs.Header.ActivityId, fs.HttpStatus));
playback.Run();
// Here we first wire-up the two processing pipelines, and then we call Run().
// Reading the file, Playback ignores all other events except Parse (EventId=2) and FastSend (EventId=12).
// These are pushed into the corresponding IObservables in order of occurence.
//
// Typically we see Parse, followed by FastSend with the same ActivityId.
}
internal static QueryExecutionContext CreateFromFiles(IList <string> etlfiles, Action <Type> onStart, Action <object> onNext)
{
Playback playback = new Playback();
foreach (var item in etlfiles)
{
playback.AddEtlFiles(item);
}
Func <Type, object, Action <object> > v = (t, o) =>
{
onStart(t);
return(onNext);
};
QueryExecutionContext context = new QueryExecutionContext(playback, v);
playback.KnownTypes = ManifestCompiler.GetKnowntypesforPlayback();
return(context);
}
static void GetObservable()
{
// This sample illustrates parsing single input file and transforming only the events that are of interest
Console.WriteLine("----- GetObservable -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.GetObservable <Parse>().Subscribe(p => Console.WriteLine(p.Url));
playback.Run();
//Here:
// - HTTP_Server.etl is trace from HTTP.sys (the bottom layer of IIS)
// - The type Parse was generated from the ETW manifest description of the first event IIS traces for each request (EventId = 2)
// - Subscribe just wires-up the processing of Parse events, and nothing shows on the console yet.
// Reading the file happens within Run().
}
public void ProcessStopTest()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var stop = from p in pb.GetObservable <ProcessStop_V1>()
select new
{
p.ProcessID,
p.ImageName
};
int count = 0;
stop.Count().Subscribe(c => count = c);
pb.Run();
Assert.AreEqual(4, count);
}
static void Count5SecWindow()
{
// Counting all events, every 5 sec window in Virtual Time
Console.WriteLine("----- Count5SecWindow -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
var all = playback.GetObservable <SystemEvent>();
var countPerWindow = from window in all.Window(TimeSpan.FromSeconds(5), playback.Scheduler)
from Count in window.Count()
select Count;
countPerWindow.Subscribe(Console.WriteLine);
playback.Run();
}
public void HTTP_Enumerations()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
object type = null, group = null, format = null;
var parsed = pb.GetObservable<LogFileWrite>().Take(1);
parsed.Subscribe(p =>
{
type = p.Type;
group = p.Group;
format = p.Format;
});
pb.Run();
Assert.AreSame(type.GetType(), typeof(HTTP_TEMPLATE_LOGGING_LogType_ValueMap));
Assert.AreSame(group.GetType(), typeof(HTTP_TEMPLATE_LOGGING_LogGroup_ValueMap));
Assert.AreSame(format.GetType(), typeof(HTTP_TEMPLATE_LOGGING_LogFormat_ValueMap));
}
public void HTTP_Parse()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var parsed = from p in pb.GetObservable <Parse>()
select new
{
p.Header.ActivityId,
p.Url
};
int count = 0;
parsed.Count().Subscribe(c => count = c);
pb.Run();
Assert.AreEqual(291, count);
}
public void HTTP_FastSend()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var parsed = from s in pb.GetObservable <FastSend>()
select new
{
s.Header.ActivityId,
s.HttpStatus
};
int count = 0;
parsed.Count().Subscribe(c => count = c);
pb.Run();
Assert.AreEqual(289, count);
}
static void Main()
{
Playback playback = new Playback();
playback.AddEtlFiles(@"..\..\..\HTTP_Server.etl");
IObservable<Deliver> startEvents = playback.GetObservable<Deliver>();
IObservable<FastResp> endEvents = playback.GetObservable<FastResp>();
var requests = from start in startEvents
from end in endEvents.Where(e => start.Header.ActivityId == e.Header.ActivityId).Take(1)
select new
{
start.Url,
end.StatusCode,
Duration = end.Header.Timestamp - start.Header.Timestamp
};
var statistics = (from request in requests
group request by new
{
Milliseconds = Math.Ceiling(request.Duration.TotalMilliseconds * 10) / 10,
request.Url
} into g
from Count in g.Count()
select new
{
g.Key.Url,
g.Key.Milliseconds,
Count
})
.ToList();
statistics.Subscribe(b =>
{
Console.WriteLine("--------------------------");
foreach (var s in b.OrderBy(s=>s.Milliseconds)) // <-- LINQ to Objects!
{
Console.WriteLine(s);
}
});
playback.Run();
}
internal override IObservable <EventRecordProxy> GetObservableEvents()
{
Playback playback = new Playback();
if (this.IsRealtime)
{
playback.AddRealTimeSession(this.files.First());
}
else
{
foreach (var item in this.files)
{
playback.AddEtlFiles(item);
}
}
playback.KnownTypes = ManifestCompiler.GetKnowntypesforPlayback();
return(new EventRecordProxyObserver(playback, this));
}
static void CountAcrossHierarchies()
{
// The method GetAll works across event hierarchies - e.g. the PerfCounterSample events don't inherit from SystemEvent
Console.WriteLine("----- CountAllThreeFiles -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.AddPerfCounterTraces(@"BasicPerfCounters.blg");
var types = new List <Type>(typeof(Parse).Assembly.GetTypes());
types.Add(typeof(PerformanceSample));
var all = playback.GetAll(types.ToArray());
all.Count().Subscribe(Console.WriteLine);
playback.Run();
}
static void Get2Observables()
{
// This sample shows how to subscribe to two types of events, and process the occurences (=instances) reading the file once
Console.WriteLine("----- Get2Observables -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.GetObservable <Parse>().Subscribe(p => Console.WriteLine("begin {0} {1}", p.Header.ActivityId, p.Url));
playback.GetObservable <FastSend>().Subscribe(fs => Console.WriteLine("end {0} {1}", fs.Header.ActivityId, fs.HttpStatus));
playback.Run();
// Here we first wire-up the two processing pipelines, and then we call Run().
// Reading the file, Playback ignores all other events except Parse (EventId=2) and FastSend (EventId=12).
// These are pushed into the corresponding IObservables in order of occurence.
//
// Typically we see Parse, followed by FastSend with the same ActivityId.
}
public void HTTP_Enumerations()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
object type = null, group = null, format = null;
var parsed = pb.GetObservable <LogFileWrite>().Take(1);
parsed.Subscribe(p =>
{
type = p.Type;
group = p.Group;
format = p.Format;
});
pb.Run();
Assert.AreSame(type.GetType(), typeof(HTTP_TEMPLATE_LOGGING_LogType_ValueMap));
Assert.AreSame(group.GetType(), typeof(HTTP_TEMPLATE_LOGGING_LogGroup_ValueMap));
Assert.AreSame(format.GetType(), typeof(HTTP_TEMPLATE_LOGGING_LogFormat_ValueMap));
}
static void Main()
{
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
playback.AddLogFiles(@"HTTP_Server.evtx");
IObservable <SystemEvent> all = playback.GetObservable <SystemEvent>();
var counts = from window in all.Window(TimeSpan.FromSeconds(5), playback.Scheduler)
from Count in window.Count()
select Count;
var withTime = counts.Timestamp(playback.Scheduler);
using (withTime.Subscribe(ts => Console.WriteLine("{0} {1}", ts.Timestamp, ts.Value)))
{
playback.Run();
Console.ReadLine();
}
}
public void JoinStartStopTest()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var start = pb.GetObservable<ProcessStart>(); // this is V0 event
var end = pb.GetObservable<ProcessStop>(); // this is V1 event
var processes = from s in start
from e in end.Where(e=>e.ProcessID == s.ProcessID).Take(1)
select new
{
s.ProcessID,
s.ImageName,
Duration = e.OccurenceTime - s.OccurenceTime
};
int count = 0;
processes.Count().Subscribe(c => count = c);
pb.Run();
Assert.AreEqual(2, count); // looked at the raw data with TraceInsigt...
}
static void Count2()
{
// This sample counts two kinds of events:
Console.WriteLine("----- Count2 -----");
Playback playback = new Playback();
playback.AddEtlFiles(@"HTTP_Server.etl");
int cParse = 0;
int cFastSend = 0;
playback.GetObservable <Parse>().Subscribe(c => cParse++);
playback.GetObservable <FastSend>().Subscribe(c => cFastSend++);
playback.Run();
Console.WriteLine("Parse: {0}, FastSend: {1}, Total: {2}",
cParse, cFastSend, cParse + cFastSend);
// Some questionsare difficult to express as structured queries
// Although possible in specific cases, the expressions are fragile (the user has to list all event types),
}
public void HTTP_AggregateDuration()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var begin = pb.GetObservable<Parse>();
var end = pb.GetObservable<FastSend>();
var requests = from b in begin
from e in end.Where(e => e.Header.ActivityId == b.Header.ActivityId).Take(1)
select new
{
b.Header.ActivityId,
b.Url,
e.HttpStatus,
Duration = e.Header.Timestamp - b.Header.Timestamp
};
var statistics = from r in requests
group r by new
{
Milliseconds = Math.Ceiling(r.Duration.TotalMilliseconds * 10) / 10,
Url = r.Url
} into groups
from c in groups.Count()
select new
{
groups.Key.Url,
groups.Key.Milliseconds,
Count = c
};
var list = new List<object>();
statistics.Subscribe(s => list.Add(s));
pb.Run();
Assert.AreEqual(7, list.Count());
}
static void Main()
{
StartSession();
Playback playback = new Playback();
playback.AddEtlFiles("tcp.etl");
playback.AddRealTimeSession("tcp");
var recv = from req in playback.GetObservable<KNetEvt_RecvIPV4>()
select new
{
Time = req.OccurenceTime,
Size = req.size,
Address = new IPAddress(req.daddr)
};
using (recv.Subscribe(e => Console.WriteLine("{0} : Received {1,5} bytes from {2}", e.Time, e.Size, e.Address)))
{
playback.Start();
Console.ReadLine();
}
}
public void HTTP_WholeRequest()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var begin = pb.GetObservable<Parse>();
var end = pb.GetObservable<FastSend>();
var requests = from b in begin
from e in end.Where(e => e.Header.ActivityId == b.Header.ActivityId).Take(1)
select new
{
b.Header.ActivityId,
b.Url,
e.HttpStatus,
Duration = e.Header.Timestamp - b.Header.Timestamp
};
int count = 0;
requests.Subscribe(r=>count++);
pb.Run();
Assert.AreEqual(289, count);
}
public void EtlEventTypeStatistics()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var statistics = from e in pb.GetObservable<SystemEvent>()
group e by new { e.Header.ProviderId, e.Header.EventId, e.Header.Opcode, e.Header.Version }
into g
from c in g.Count()
select new
{
g.Key.ProviderId,
g.Key.EventId,
g.Key.Version,
Count = c,
};
var list = new List<object>();
statistics.Subscribe(s => list.Add(s));
pb.Run();
Assert.AreEqual(12, list.Count());
}
public void ConcatenateRequest()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var recvReq = from e in pb.GetObservable<RecvReq>()
select new AspRequestInstance
{
RequestId = new Guid(0, 0, 0, BitConverter.GetBytes(e.RequestId)),
RecvReq = e.Header.Timestamp
};
var start = from e in pb.GetObservable<Start>()
select new AspRequestInstance
{
RequestId = e.ContextId,
Start = e.Header.Timestamp
};
var startHandler = from e in pb.GetObservable<StartHandler>()
select new AspRequestInstance
{
RequestId = e.ContextId,
StartHandler = e.Header.Timestamp
};
var httpHandlerEnter = from e in pb.GetObservable<HttpHandlerEnter>()
select new AspRequestInstance
{
RequestId = e.ContextId,
HttpHandlerEnter = e.Header.Timestamp
};
var httpHandlerLeave = from e in pb.GetObservable<HttpHandlerLeave>()
select new AspRequestInstance
{
RequestId = e.ContextId,
HttpHanlerLeave = e.Header.Timestamp
};
var endHandler = from e in pb.GetObservable<EndHandler>()
select new AspRequestInstance
{
RequestId = e.ContextId,
EndHandler = e.Header.Timestamp
};
var end = from e in pb.GetObservable<End>()
select new AspRequestInstance
{
RequestId = e.ContextId,
End = e.Header.Timestamp
};
var sameSchema = recvReq
.Merge(start)
.Merge(startHandler)
.Merge(httpHandlerEnter)
.Merge(httpHandlerLeave)
.Merge(endHandler)
.Merge(end);
var requests = from r in sameSchema
group r by r.RequestId into gs
from i in gs.Scan((v, i) => v.Merge(i)).Where(v => v.IsCompleted).Take(1)
select i;
int counter = 0;
requests.Subscribe(r=>
{
counter++;
});
pb.Run();
Assert.AreEqual(9530, counter);
}
private static void Main(string[] args)
{
if (args.Length < 2)
{
Console.WriteLine(
@"Usage: TxFmt files...
Supported files are
.man : Manifest
.etl : Event Trace Log
.evtx : Event Log");
Environment.Exit(1);
}
try
{
var pb = new Playback();
string asmDir = Path.Combine(Path.GetTempPath(), "TxFmt");
if (Directory.Exists(asmDir))
Directory.Delete(asmDir, true);
Directory.CreateDirectory(asmDir);
foreach (string a in args)
{
string ext = Path.GetExtension(a).ToLower();
switch (ext)
{
case ".etl":
pb.AddEtlFiles(a);
break;
case ".evtx":
pb.AddLogFiles(a);
break;
case ".man":
string manifest = File.ReadAllText(a);
Dictionary<string, string> generated = ManifestParser.Parse(manifest);
string assemblyPath = Path.Combine(asmDir, Path.ChangeExtension(Path.GetFileName(a), ".dll"));
AssemblyBuilder.OutputAssembly(generated, new string[]{}, assemblyPath);
break;
default:
throw new Exception("unknown extension " + ext);
}
}
var knownTypes = new List<Type>();
foreach (string a in Directory.GetFiles(asmDir, "*.dll"))
{
Assembly assembly = Assembly.LoadFrom(a);
knownTypes.AddRange(assembly.GetTypes());
}
pb.KnownTypes = knownTypes.ToArray();
IObservable<SystemEvent> all = pb.GetObservable<SystemEvent>();
all.Subscribe(e=>
{
if (!e.ToString().StartsWith(" DocumentServiceId"))
{
Console.WriteLine("{0} {1}", e.Header.EventId, e.ToString());
};
});
pb.Run();
}
catch (Exception ex)
{
ConsoleColor color = Console.ForegroundColor;
Console.ForegroundColor = ConsoleColor.Red;
Console.Error.WriteLine(ex.Message + "\n\n" + ex.StackTrace);
Console.ForegroundColor = color;
}
}
internal static void Compile(string[] fileNames,
string linqFile,
TextWriter outputStream,
TextWriter errorStream,
Type[] knownTypes = null,
DateTime? startTime = null,
DateTime? endTime = null)
{
StringWriter errorLogger = new StringWriter();
string query = LinqpadHelpers.ExtractQuery(linqFile, errorLogger);
Playback playback = new Playback();
foreach (string file in fileNames)
{
string extension = Path.GetExtension(file);
if (string.Equals(".etl", extension, StringComparison.InvariantCultureIgnoreCase))
{
playback.AddEtlFiles(file);
}
//else if (string.Equals(".csv", extension, StringComparison.InvariantCultureIgnoreCase))
//{
// playback.AddCsvFile(file);
//}
}
Dictionary<string, object> playbackProperties = new Dictionary<string, object>();
if (startTime.HasValue)
{
playbackProperties.Add("StartTime", startTime.Value);
}
if (endTime.HasValue)
{
playbackProperties.Add("EndTime", endTime.Value);
}
playback.KnownTypes = knownTypes;
CsvWriterSettings csvsettings = new CsvWriterSettings
{
Writer = outputStream
};
Func<Type, object, Action<object>> onDumpStartCsv = (t, result) =>
{
CsvHelper.PrintHeader(t, csvsettings);
Action<object> onNext = (o) =>
{
CsvHelper.Dump(o, csvsettings);
};
return onNext;
};
CompileAndRun(new QueryExecutionContext(playback, onDumpStartCsv),
query,
errorStream,
errorStream,
playbackProperties);
}
internal static QueryExecutionContext CreateFromFiles(IList<string> etlfiles, Action<Type> onStart, Action<object> onNext)
{
Playback playback = new Playback();
foreach (var item in etlfiles)
{
playback.AddEtlFiles(item);
}
Func<Type, object, Action<object>> v = (t, o) =>
{
onStart(t);
return onNext;
};
QueryExecutionContext context = new QueryExecutionContext(playback, v);
playback.KnownTypes = ManifestCompiler.GetKnowntypesforPlayback();
return context;
}
public void HTTP_Parse_Format()
{
string msg = "";
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var parsed = pb.GetObservable<Parse>().Take(1);
parsed.Subscribe(p => msg = p.ToString());
pb.Run();
Assert.AreEqual(msg, "Parsed request (request pointer 18446738026454074672, method 4) with URI http://georgis2:80/windir.txt");
}
public void HTTP_SlowRequests()
{
var pb = new Playback();
pb.AddEtlFiles(EtlFileName);
var begin = pb.GetObservable<Parse>();
var end = pb.GetObservable<FastSend>();
var requests = from b in begin
from e in end.Where(e => e.Header.ActivityId == b.Header.ActivityId).Take(1)
select new
{
b.Header.ActivityId,
b.Url,
e.HttpStatus,
Duration = e.Header.Timestamp - b.Header.Timestamp
};
var slow = from r in requests
where r.Duration.TotalMilliseconds > 0.5
select r;
var list = new List<object>();
slow.Subscribe(s => list.Add(s));
pb.Run();
Assert.AreEqual(2, list.Count());
}
