I’m looking for a tool that will allow me to explore and query/search in logs from service fabric written in etl format. I tried to use MessageAnalyzer but it was loading long time and hangs, second tool windows logs explorer but after conversion to evtx logs looks like below and are useless for me:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-ServiceFabric" Guid="{cbd93bc2-71e5-4566-b3a7-595d8eeca6e8}" />
<EventID>65534</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>65534</Task>
<Opcode>254</Opcode>
<Keywords>0xffffffffffffff</Keywords>
<TimeCreated SystemTime="2018-08-17T14:11:30.484723000Z" />
<EventRecordID>11534</EventRecordID>
<Correlation />
<Execution ProcessID="14332" ThreadID="5124" ProcessorID="3" KernelTime="9" UserTime="63" />
<Channel />
<Computer>Machine Name</Computer>
<Security />
</System>
- <ProcessingErrorData>
<ErrorCode>15003</ErrorCode>
<DataItemName />
<EventPayload>0101005B69002C006F6E3D223022206C657..74656D706C6174653D22537461727441735072696D61727941726773222F3E0D0A20203C6576656E742076</EventPayload>
</ProcessingErrorData>
</Event>
I saw that on Azure (https://channel9.msdn.com/Events/dotnetConf/2018/S208 0 on 35 minute) there is option to use Application Insights to query result. Is there any tool that allow me to do this locally?
I generally use PerfView for most ETW Log analysis. It provides very good filter capabilities on the raw files without need to convert the logs to any format other format, also is very lightweight to process huge log files.
The Good side of using Tools like Log Analytics on OMS or Application Insights is that it provides advanced features like Alerting, Aggregation and SQL like queries on these same events. Also, after setup, you don't have to handle large log files(generally in the hosted on a Blob storage) to find logs for the application.
For Development, PerfView does the job, for production analysis I would recommend you go for OMS or AppInsights.
The only downside from LogAnalitics is that the events are not shown in real time, it takes a few minutes before you can see then in the portal, but is still faster than finding and copying the files for analysis on PerfView or other tools.