3.1.4.10 EvtRpcRemoteSubscriptionNext (Opnum 2)
This EvtRpcRemoteSubscriptionNext (Opnum 2) method is a synchronous request for events that have been delivered to a subscription. This method is only used for pull subscriptions in which the client polls for events. The EvtRpcRemoteSubscriptionWaitAsync (section 3.1.4.11) method can be used along with this method to minimize the frequency of polling.
-
error_status_t EvtRpcRemoteSubscriptionNext( [in, context_handle] PCONTEXT_HANDLE_REMOTE_SUBSCRIPTION handle, [in] DWORD numRequestedRecords, [in] DWORD timeOut, [in] DWORD flags, [out] DWORD* numActualRecords, [out, size_is(,*numActualRecords), range(0, MAX_RPC_RECORD_COUNT)] DWORD** eventDataIndices, [out, size_is(,*numActualRecords), range(0, MAX_RPC_RECORD_COUNT)] DWORD** eventDataSizes, [out] DWORD* resultBufferSize, [out, size_is(,*resultBufferSize), range(0, MAX_RPC_BATCH_SIZE)] BYTE** resultBuffer );
handle: A handle to a subscription. This parameter is an RPC context handle, as specified in [C706] Context Handles.
numRequestedRecords: A 32-bit unsigned integer that contains the maximum number of events to return.
timeOut: A 32-bit unsigned integer that contains the maximum number of milliseconds to wait before returning.
flags: A 32-bit unsigned integer that MUST be set to zero when sent and MAY be ignored on receipt.<15>
numActualRecords: A pointer to a 32-bit unsigned integer that contains the value that, on success, MUST be set to the number of events that are retrieved. This is useful in the case in which the method times out without receiving the full number of events specified in numRequestedRecords. If the method fails, the client MUST NOT use the value.
eventDataIndices: A pointer to an array of 32-bit unsigned integers that contain the offsets for the events. An event offset is its position relative to the start of resultBuffer.
eventDataSizes: A pointer to an array of 32-bit unsigned integers that contain the event sizes in bytes.
resultBufferSize: A pointer to a 32-bit unsigned integer that contains the number of bytes of data returned in resultBuffer.
resultBuffer: A pointer to a byte-array that contains the result set of one or more events. The events MUST be in binary XML format, as specified in section 2.2.17.
Return Values: The method MUST return ERROR_SUCCESS (0x00000000) on success. The method MUST return ERROR_TIMEOUT (0x000005b4) if fewer than numRequestedRecords records are found within the time-out period. Otherwise, it MUST return a different implementation-specific nonzero value as specified in [MS-ERREF].
In response to this request from the client, the server MUST do the following:
Validate the handle. For processing rules for handle validation, see the remarks in section 3.1.4.9. The server MUST fail the method with the return code ERROR_INVALID_PARAMETER (0x00000057) if the handle is invalid or there is no state for this handle on the server.
After the server validates the handle, it casts the handle value to the subscription object. The server then MUST check whether the subscription object is a push subscription. Because the subscription object contains the type of subscription, the server checks its type and SHOULD fail the method if it is not a push type subscription with the error ERROR_INVALID_OPERATION(0x000010DD).
If the handle passes the check, the server MUST determine if the log file contains events to send to the client. These events pass the subscription filters but have not been sent to the client. The subscription filters are the XPath queries that the client specifies in the query parameter in the EvtRpcRegisterRemoteSubscription method (as specified in section 3.1.4.8). For information on how the server applies the filter, see [MSDN-CONSUMEVTS].
If the log file contains events to send to the client, EvtRpcRemoteSubscriptionNext (Opnum 2) starts collecting events to send to the client. Three factors determine the number of events that the server sends to the client:
The maximum number of records to send to the client. This value is specified by using the numRequestedRecords parameter.
The timeout interval. This value is specified by using the timeOut parameter and defines the maximum time interval that the caller will wait for a query result. Complex queries and queries that inspect large log files are most likely to encounter the limit specified by the timeout value. If the execution time for delivering the next batch of events through the subscription exceeds the timeout value, the server MUST stop working and SHOULD return to the client immediately with the return code ERROR_TIMEOUT (0x000005B4). The server SHOULD treat a timeout parameter value of 0xFFFFFFFF as infinite, and process up to the limit of numRequestedRecords or the end of the log file regardless of the amount of time such processing takes.
The end of the log file.
If the server collects the maximum number of events to send to the client before reaching the end of the log file and before the timeout interval expires, the server MUST send the number of events specified in numRequestedRecords to the client.
If the timeout interval expires before the server reaches the end of the log file, the server MUST send the collected events to the client. The number of events is less than or equal to the number of events specified in numRequestedRecords.
If the server reaches the end of the log file before the timeout interval expires, the server MUST send the collected events to the client. The number of events is less than or equal to the number of events specified in numRequestedRecords.
The server returns the result in the five output parameters: numActualRecords, eventDataIndices, eventDataSizes, resultBufferSize, and resultBuffer. On successful return, the numActualRecords contains the number of events in the resultBuffer. All the returned events are in BinXML format and they are packed as one binary blob in the resultBuffer. The total size of all these events are marked by resultBufferSize. Since all the events are packed together, there is a need to identify where the separator is for each event in the result. To do this, the server fills two arrays: eventDataIndices and eventDataSizes. Both arrays contain the numActualRecords of elements. For the eventDataIndices array, each array element is a 32-bit value which is the start position of each event in the resultBuffer. For the eventDataSizes array, each element is a 32-bit value which is the size of every event.
The server MUST update the position value in the subscription object to keep track of the events received by the client so that subsequent calls can retrieve the rest of the result set. As specified in section 3.1.4.8, the subscription object keeps the positions where the events SHOULD start in the channels. Then the server can update the position value so that it can perform the task of tracking the delivered events. The entire result set in the log file can be retrieved by making a series of calls using EvtRpcRemoteSubscriptionNext (Opnum 2), including entries added to the log file during retrieval of the result set.
The server SHOULD be notified by the underlying network that the connection is lost from the client if the client abnormally terminates the connection. The server abandons its operation for the client in such a case. The server SHOULD release the subscription object it creates and free all associated resources. The associated resources are described in EvtRpcRegisterRemoteSubscription (Opnum 0) (section 3.1.4.8).
The server MUST return a value that indicates success or failure for this operation.