Manipulating Performance Monitor Logs
If you need to monitor or troubleshoot performance problems on a Windows system, chances are you'll simply fire up PerfMon, log some data to a file, which you later load in PerfMon for analysis. This is great and is often all that you need, but it's a bit of a passive use of the log and gives the impression that if you make a mistake in your selections at the start you're stuck with it. What if you didn't gather the data and the log you're given contains counters you don't need, or is too big to use easily, or you're only interested in a short period of the logging interval? What can you do? As it turns out there is quite a bit you can do. The little-known, but highly-useful, Relog.exe tool can perform some clever manipulation once you have your log, allowing you to focus your troubleshooting a bit more (or at least make it a bit easier).
Relog is built-in for Windows XP and later, and is available to download for Windows 2000. Here are some things it can do:
Converting Logs to Different Formats
The default log format for performance logs is Binary (.blg) and you usually just want to leave it that way as PerfMon can read it just fine. However, what if you wanted to use another tool (Excel, for example) to analyse the data and the tool doesn't understand binary files? Relog allows you to take an existing log in, say, .blg format and generate a new file in, say, Comma Separated Value (.csv) format:
Relog OriginalLog.blg -f CSV -o NewLog.csv
This command takes OriginalLog.blg and creates NewLog.csv from it, with this new log containing all of the same datapoints as the original. You can convert between .blg, .csv, Tab Separated Value (.tsv), and .sql formats.
Resampling the Data
When creating a log file one of the parameters you need to set is the sample interval. You should set this according to the nature of the troubleshooting or monitoring you're doing, so, for example, you would not set the same sample interval on logs that will run for 3 weeks as you would for one that runs for 3 hours. However, you can still end up with some unwieldy log files, which are a pain to view in PerfMon. Relog allows you to resample the data, generating a new log file containing every n-th datapoint. For example, this command will take OriginalLog.blg and generate NewLog.blg, which contains every 5-th datapoint:
Relog OriginalLog.blg -t 5 -o NewLog.blg
Clearly, you are discarding information here and care needs to be taken or you may end up missing something important from the new dataset - for example, if you originally sampled every 60 seconds, but change this to the equivalent of every 30 minutes, you are likely to miss a transient problem that lasts 5 minutes. However, this isn't really any worse than if you'd set the sample interval differently in the first place, so better to select the correct interval before logging begins.
If you don't want to lose data, but know that the problem your investigating happened mid-way through the logging period, then you can create a new log of just the datapoints in a given time window. For example, if we have a log that ran between Midnight on 3rd March to Midnight on 10th Match, we can extract the data for 5th and 6th March using this command:
Relog OriginalLog.blg -b 05/03/2008 00:00:00 -e 06/03/2008 00:00:00 -o NewLog.blg
Relog does its best to match the times specified, but if these do not correspond to specific sample times, then it chooses the closest ones.
Extracting Specific Counters
As an alternative to the above approach of re-sampling the datapoints, you can split your log file into multiple files, each with all the datapoints, but with a subset of the original counters. For example, the following command will take all of the Memory-related counters from OriginalLog.blg and copy them to NewLog.blg:
Relog OriginalLog.blg -c "\Memory\*" -o NewLog.blg
If you need to do more complex filtering of the counters, then you can list the counters you want in a text file and pass the path to Relog:
Relog Original.blg -cf CounterList.txt -o NewLog.blg
The counter list is specified with a single counter per-line. For example:
\Memory\Pool Paged Bytes
\Process(*)\Pool Paged Bytes
\Thread(Explorer*)\% Processor Time
If you have several logs you've split out as described above and would like to re-combine two or more of them, say for easier comparison in PerfMon, then Relog can do this as follows:
Relog SeparateLog11.blg SeparateLog2.blg -o CombinedLog.blg
This takes SeparateLog1.blg and combines it with SeparateLog2.blg and writes the result to CombinedLog.blg. You can do this for more than two logs, but all of them must be in .blg format.
It is possible to combine some of the actions mentioned above in a single command. For example:
Resample and convert log type
To convert from .blg to .csv and copy only every 10th datapoint, us this command:
Relog OriginalLog.blg -f CSV -t 10 -o NewLog.csv
Extract Counters, Change Time Window and Resample
To extract every 5th datapoint for just the Memory counters from 5-6th March, use this command:
Relog OriginalLog.blg -b 05/03/2008 00:00:00 -e 06/03/2008 00:00:00 -c "\Memory\*" -t 5 -o NewLog.blg
Obviously, analysing the data after you've played around with it is the critical part, and that's beyond the scope of a simple blog post, but to get you started, here are a few resources that you might find useful:
Performance Analysis of Logs (PAL) . PAL automates the analysis of the logs by applying specified thresholds (supplied) to the data, generating reports with details of what it found.
Windows Performance Guide. Part of the Server 2003 Resource Kit, this is the place to read up on performance analysis.
Performance Tuning Guidelines for Windows Server 2003. Provides guidance on parameter to tweak in order to maximise performance in Server 2003.
Performance Tuning Guidelines for Windows Server 2008. Server 2008 equivalent of the guide mentioned above.