Экспорт (0) Печать
Развернуть все
EN
Данное содержимое не доступно на вашем языке, используйте версию на английском языке.

Using the Data Retrieval Features

The procedures in this section encapsulate some of the main functionalities described in the Retrieving Message Data section. The procedures demonstrate how to do the following:

Load and Display Saved Data — shows how to browse for saved files that contain a message collection you want to load into Message Analyzer through a Data Retrieval Session and display it in a selected data viewer.

Select Specific Data from a Saved Trace File — shows how to select specific data from a saved file by applying a Session Filter to the data loading process via a Data Retrieval Session.

Display Different Data Viewers for Session Results — shows how to view results in selected data viewers that provide different presentation formats that enhance your data analysis perspectives.

Load Saved Data with the Quick Open Feature — shows how to quickly load and display data from a saved file by using the Quick Open feature.

Load Saved Data From Recent Files or Drag-and-Drop — shows how to quickly load and display data from a saved file by using the Recent Files list of the Quick Open feature. Also includes use of drag-and-drop as an alternate method for opening files.

Apply a Time Filter to Data Loading and Save the Message Collection — shows how to load a message collection from multiple input files with a Time Filter applied; and how to save it to a single file in the default Message Analyzer .matp format.

Important  At least one procedure in this section makes use of the drag-and-drop feature. If you have not logged off Windows after the first installation of Message Analyzer, please log off and then log back on if you wish to use drag-and-drop. This action ensures that the subsequent logon that follows installation has the appropriate privileges from the Message Capture User Group, which in turn enables Message Analyzer to have the same security context as Windows Explorer; otherwise, drag-and-drop will not work.

Load and Display Saved Data

In the following procedure, you will load saved trace data through a Data Retrieval Session and display it in the Message Analyzer default Analysis Grid viewer.

To use a Data Retrieval Session to load and display saved data

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Files button to display the Files tab along with the associated session configuration features that it contains in the New Session dialog.

  4. On the Files tab, click Add Files to launch the Open dialog and then navigate to the file/s that contain the data you want to load into Message Analyzer.

  5. In the Open dialog, select the file/s containing the data you want to load and then click Open to exit the dialog.

  6. In the files list that displays, place a check mark in the check box next to the file/s that contain the data you want to load, or alternatively, remove the check mark from files that contain data you do not want to load.

    If you need to search for suitably named files that contain specific data, as described in Naming Saved Files, enter the appropriate file name characters in the search box on the toolbar of the Files tab to highlight them in the list.

  7. Optionally, select a data viewer from the Start With drop-down list in the New Session dialog, or simply accept the default data viewer, for example, the Analysis Grid.

  8. Click the Start button in the New Session dialog to begin loading your selected data into Message Analyzer.

    The loaded data displays in the specified data viewer on the Message Analyzer Home tab.

  9. To load data from one or more additional files, for example, files that you unselected in the initial data loading configuration, click the Edit button in the Session group on the Ribbon of the Home tab to open the Edit Session dialog to expose the configuration of the current Data Retrieval Session, as you originally specified it.

  10. Select additional files in the files list or click Add Files to locate and add one or more files to the files list, and then place a check mark in the check box next to each file that contains the data you want to load into your existing message collection. By default, the Restricted Edit mode in which the Edit Session dialog opens only enables you to add more files to the files list, since other configuration features are disabled in this mode.

    Tip  If you add a check mark to the Select Added Files check box on the toolbar of the Files tab, all files that you add to the files list with the Add Files feature are automatically selected for inclusion in the data loading process.

  11. Click the Apply button to load the new data into the chosen data viewer on the Message Analyzer Home tab.

    If your data viewer is the Analysis Grid, note that the new data you are adding is appended to the existing set of messages in the tree grid of this viewer.

Tip  When analyzing data that you loaded from multiple input data sources, as described in Configuring Session Scenarios, you have the option to organize and summarize the loaded data into groups that are labeled by data source name. You can do this by adding a DataSource field from the General category of the Column Chooser to the Analysis Grid viewer, and then applying the Group command by selecting it from the context menu that displays after you right-click the DataSource column.

Select Specific Data from a Saved Trace File

In the following procedure, you will select specific trace data to load into Message Analyzer through a Data Retrieval Session, by applying a Session Filter to the data loading process.

To select specific data in a Data Retrieval Session

  1. Perform steps 1 through 3 of the procedure in Load and Display Saved Data.

  2. On the toolbar of the Files tab, place a check mark in the Select Added Files check box, so that all files that you add to the files list with the Add Files feature are automatically included in your data loading configuration.

  3. On the Files tab, click Add Files to launch the Open dialog and then navigate to the file/s that contain the trace data you want to load into Message Analyzer.

  4. In the Open dialog, select the file/s containing the data you want to load and then click Open to exit the dialog.

  5. In the Session Filter pane of the New Session dialog, select a Filter Expression from the Library to specify the filtering criteria that you choose for the input messages that are to be loaded into Message Analyzer.

    For example, you might add a simple expression such as IPv4.Address==192.168.1.1, to filter for only the messages that contain a specified IP address. You can also add a recently used filter from the History drop-down list on the toolbar of the Session Filter pane in the New Session dialog, or you can create your own Filter Expression. In this example, the IP address in italics is a placeholder for an actual IP address that you will include in this filter.

  6. Optionally, select a data viewer from the Start With drop-down list of the New Session dialog, or simply accept the default data viewer, for example, the Analysis Grid.

    Note  At any time prior to loading data in the next step, you have the option to remove the check mark from any files that contain data you do not want to load.

  7. Click the Start button in the New Session dialog to begin loading your selected data into Message Analyzer.

    Note  If you created your own Session Filter configuration and it is an invalid expression, a Compile query error message will be displayed and Message Analyzer will halt the data loading process; otherwise, loaded data will display in the specified data viewer on the Message Analyzer Home tab.

  8. Optionally, return to the configuration of your Data Retrieval Session to specify a different Filter Expression or message collection configuration for loading data into Message Analyzer, by clicking the Edit button in the Session group on the Ribbon of the Message Analyzer Home tab.

    The Edit Session dialog opens in the Restricted Edit mode, which indicates the following:

    Add new files or data sources without causing a data reload. Other configuration changes in Full Edit mode cause a reload of all data.

    This means that you can add new data files into the target files list and load that data without Message Analyzer having to also reload the data from the existing files. But any other configuration changes that you specify for the current Data Retrieval Session will cause Message Analyzer to reload all data, which includes messages from all files that represent the original message collection, in addition to messages from any new files you are adding. When this occurs, you might notice slower performance as Message Analyzer reloads the data.

  9. In the Edit Session dialog, click the Full Edit button to enable all configuration features for your Data Retrieval Session.

  10. In the Edit Session dialog, select a different Session Filter from the Library, for example, #DiagnosisTypes==2. If you select this filter, you can load and view only the messages that contain validation errors, for analysis purposes. A validation error is an indication that a message does not align with its protocol definition.

  11. After you have modified the Data Retrieval Session by selecting a different Session Filter from the Library, click the Apply button to view the results of the new Data Retrieval Session configuration in the data viewer that you initially selected.

    Note  When modifying an existing Data Retrieval Session, you cannot change the data viewer in which to display your data, as this capability is disabled in the Edit Session dialog. As a result, the messages that load from your modified Data Retrieval Session after you click the Apply button will continue to display in the data viewer that you initially specified. If you want to see the loaded data in a different data viewer, you can select one from the New Viewer drop-down in the Session group on the Message Analyzer Home tab, as described in the procedure that follows.

    More Information
    For additional details about the Edit Session dialog, see Editing Existing Sessions.

Display Different Data Viewers for Session Results

In the following procedure, you will display different views of a loaded message collection by launching other data viewers. Doing so can help you obtain different analytical perspectives when assessing your data.

To display data in different viewers

  1. Start a Data Retrieval Session with the default Analysis Grid viewer and load data into Message Analyzer by following the steps of one of the previous procedures, as appropriate.

    Thereafter in this procedure, you will be selecting other viewers.

  2. Observe that the loaded data displays in the Analysis Grid viewer on the Message Analyzer Home tab.

  3. In the left margin of the Message Analyzer Home tab, confirm that the Session Explorer tool window is open. If not, open it by selecting the Session Explorer item in the Tool Windows drop-down in the Windows group on the Ribbon of the Message Analyzer Home tab.

  4. To create a different view of your data, right-click the Data Retrieval Session node in the Session Explorer tool window, select New Viewer in the context menu, and then select the Protocol Dashboard item under the Message Analyzer Charts category. Alternatively, you can select the Protocol Dashboard from the New Viewer drop-down list in the Session group on Ribbon of the Message Analyzer Home tab.

  5. Observe that the loaded data displays in the Protocol Dashboard viewer as a separate session tab on the Message Analyzer Home tab.

    The Protocol Dashboard viewer contains several data visualizers that include Top Level Protocols Summary components in bar chart, pie chart, and message count grid formats, in addition to a Top Level Protocols Over Time chart in X-Y axis format that displays message count per protocol versus the trace timeline.

  6. Repeat step 4 and select the SMB Reads and Writes data viewer.

    Note  This viewer will display data only if SMB, SMB2, or SMB3 protocol packets were captured in the trace data that you loaded into Message Analyzer. If such a trace is unavailable, you can run a Live Trace Session, perform some file access activities, and then save the trace and load the data through a Data Retrieval Session where you can specify the SMB Reads and Writes viewer, or you can simply apply this viewer to the Live Trace Session results.

  7. Right-click a Data Retrieval Session in the Session Explorer tool window, highlight New Viewer, and then select the Sequence Match item in the Common category under My Items.

    Note  To execute a sequence expression, you will need to select one from the Sequence Expression drop-down list in the View Options group on the Ribbon of the Home tab, by placing a check mark in a sequence expression check box in the menu that appears. For example, you could select the Three-Way Handshake item to view and analyze the messages, sent from and received by source and destination nodes, that successfully participated in TCP connection handshake communications across the trace timeline.

  8. Poll through the various data viewers by clicking the session nodes for each viewer type in the Session Explorer tool window, for the current Data Retrieval Session. Note that you can also manually select the corresponding session tabs to look at the data format of each viewer.

    Tip  Because the Sequence Match viewer interacts with the Analysis Grid, it may be useful to redock these viewers so that you can more effectively see the results of driving message selection in the Analysis Grid from the Sequence Match viewer. See Redocking Data Viewers and Tool Windows for more information.

  9. Repeat these steps to specify different data viewers as needed. For example, you might specify one of the many data viewers that are available in viewer asset collections that are included in the viewer Library of every Message Analyzer installation.

    Tip  Comparing data from a Live Trace Session with associated data that is loaded from a Data Retrieval Session provides a convenient method for analyzing current and historical data.

Load Saved Data with the Quick Open Feature

In the procedure that follows, you will display data quickly from a saved trace or log file by using the Quick Open feature.

To quickly open a saved file and display its data

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click the Message Analyzer File menu and then click the Quick Open item to launch the Open dialog. You can also use the keyboard shortcut Ctrl+O to open the dialog.

  3. Navigate to the saved file containing the data you want to display, select a single file, and then click Open.

    The saved data displays in the default data viewer, for example, the Analysis Grid viewer.

Advisory  If you load a text .log file through the Quick Open feature, Message Analyzer will open the New Session dialog first to display the configuration for a Data Retrieval Session, so you can select a Text Log Configuration file to parse the log data after you start the session, rather than immediately displaying the data directly in an instance of the default data viewer. The exception to this is when you have a default configuration file already specified in the Text Log Files pane on the General tab of the global Options page, which is accessible from the Message Analyzer File menu. When this is the case, Message Analyzer will automatically parse the data from the .log file and display it in the default data viewer. Note that Message Analyzer will fully parse the .log file data only if the right configuration file is specified, which might be either a custom configuration file that you created, or one of the default configuration files that is provided with every Message Analyzer installation. For more information, see Opening Textual Log Files.

Note  If you load a trace file that was saved with one or more out-of-date parsers, Message Analyzer prompts you to reparse the trace.

Load Saved Data From Recent Files or Drag-and-Drop

In the procedure that follows, you will quickly load and display trace data by using the Recent Files feature or the drag-and-drop feature, as alternate methods for loading data into Message Analyzer. To ensure that drag-and-drop functions properly, you will need to have logged off and back on Windows at least once since you installed Message Analyzer, as indicated at the beginning of this section.

To quickly load and display saved data

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click the Message Analyzer File tab to display the File menu, mouse-hover over the Quick Open icon in the list, and then click a file in the Recent Files submenu to quickly display its data in the default data viewer, providing that you have one or more files in the list.

    Note  If you load a text .log file through the Recent Files feature, the same behavior that is described in the previous Advisory section applies.

  3. Alternatively, drag-and-drop one or more saved trace files anywhere on the Message Analyzer Start Page, or onto the Session Explorer Tool Window.

    Message Analyzer immediately displays the trace file data in the default session viewer. If you drag-and-drop more than one trace file, the data for each file displays in a separate session viewer tab on the Home tab for each file.

    Note that you can also drag-and-drop saved .log files onto the files list on the Files tab in the New Session dialog. This can be useful if you know in advance that you will need to specify a Text Log Configuration file in the dialog.

Apply a Time Filter to Data Loading and Save the Message Collection

In the procedure that follows, you will load a message collection consisting of data from multiple files with a Time Filter applied and you will save it to a single file in the default Message Analyzer .matp file format.

To apply a Time Filter to the data loading process and save the message collection

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Files button to display the Files tab along with the associated session configuration features that it contains in the New Session dialog.

  4. On the Files tab, click Add Files to launch the Open dialog and then navigate to the file/s that contain the data you want to load into Message Analyzer.

  5. In the Open dialog, select the file/s containing the data you want to load and then click Open to exit the dialog.

    This might consist of any combination of .matu, .matp, .cap, .log, or .etl files that contain message data that was captured or logged in a similar time frame. For example, this might be data from several large .log files that you want to aggregate and load into Message Analyzer for analysis purposes.

  6. In the files list that displays, ensure that you have a check mark in the check box next to the file/s that contain the data you want to load.

  7. In the Time Filter section on the Files tab of the New Session dialog, adjust the left and right time slider controls to define a window of time in which to view data.

    For example, if you have one or more large input files with target data, you might want to focus on a particular time slot in which you suspect that a particular issue has occurred to minimize consumption of system resources, rather than load all the message data contained in the input files. You can do this with a Time Filter, which loads only the messages with timestamp values that fall within a specified window of time.

    Note  If you have a collection of target input files, the Start Time and End Time values that display in the Time Filter configuration are inclusive of the earliest and latest chronological time value, respectively, that is detected in any input file in the files list.

  8. Apply a Session Filter to your Data Retrieval Session to isolate specific information that you want to focus on, as follows.

    If you want to be even more specific about the data that you load from target input files into Message Analyzer, you can specify a Filter Expression in the Session Filter pane of the New Session dialog, either by configuring one manually or by adding a predefined filter from the centralized Filter Expression Library.

    For example, for an input trace file, you might add a filter such as: IPv4.DestinationAddress == 192.168.1.1, to load only the traffic that went to or from the specified address; or for a log file, you might use a filter such as: *Summary contains “searchString”, to exclude all messages except those that contain a specified string in the Summary column of the Analysis Grid viewer.

  9. Click the Start button in the New Session dialog when you are ready to load the data.

    The data from the target files that you specified in the Data Retrieval Session configuration is filtered and loaded into Message Analyzer; it then displays in the default data viewer, for example, the Analysis Grid.

  10. Create different data analysis perspectives by applying various Message Analyzer data assessment and analysis tools, as follows.

    After the data is loaded, you can optionally apply additional data manipulation techniques to further isolate specific messages of interest. For example, you can do this by grouping data, sorting columns, adding columns for new field data, and specifying Column Filters; by specifying Viewpoints, View Layouts, View Filters, and Column Layouts; or by selecting different data viewers that contain other visualizer components that enhance your analytical perspectives. You can also apply a removable Quick Filter to further define the window of time in which to view data.

    To learn more about manipulating message data for analysis purposes, see the Analysis Grid, Common Data Viewer Features, and Using the Data Filtering Features topics.

  11. Save your data in the Save/Export Session dialog, as follows.

    When you have a set of messages that exposes a particular issue you are working on, such as a group of errors that might have occurred in some module at a specific source or destination address; or if you simply need to save your data to resume analysis later on, you can do so by clicking the Save item in the Message Analyzer File menu to display the Save/Export Session dialog, and then doing one of the following:

    • Select the All Messages option to save all the data in a message collection.

    • Select the Filtered Messages option to save a message collection to which a View Filter was applied.

    • Choose the Selected Messages option after selecting/highlighting one or more messages with your mouse.

    Note that you have the option to save a message collection in the Message Analyzer native .matp file format, or you can export to a .cap file for use in other applications.

  12. From the Save As dialog, navigate to the directory location where you want to save the selected message data.

  13. In the File name text box of the Save As dialog, specify a name for the message file.

  14. Click Save when finished.

Была ли вам полезна эта информация?
(1500 символов осталось)
Спасибо за ваш отзыв
Показ:
© 2014 Microsoft