Using event-driven monitoring, the data resulting from the monitor is a sequence of event records, each describing one event. An event record consists of an arbitrary number of components, called record fields, each containing a single value describing one aspect of the event. In most cases an event record has record fields containing the event identification and the time the event was recognized. It is also possible that a record field or a group of record fields is not always present in the current event record, or that a record field is interpreted differently, depending on the actual value of another record field. Therefore, it is possible that event records have different lengths even in one event trace.
During the measurement, the event records are stored sequentially in a file (event trace file), resulting in a sequence of event records sorted according to increasing time. A section in the event trace which has been continuously recorded is called a trace segment. A trace segment describes the dynamic behavior of the monitored system during a time interval in which none of the detected events was lost. The knowledge of segment borders is important, especially for validation tools based on event traces. Usually each trace segment begins with a special data record, the so-called segment header, which contains some useful information about the following segment or is simply used to mark the beginning of a new trace segment.
With the hierarchy event trace / trace segment / event record / record field, we have a general logical structure which enables us to abstract from the physical structure and representation of the measured event trace (see fig. 3 left). Note that we only specified the structure of an event trace independent from its contents. This does not include a specification of event types. We will return to this problem in section 5.
The main differences between different trace formats are the number of the event record fields. Furthermore, an unsegmented trace can be viewed as a trace consisting of one segment without segment header. Therefore, the general logical structure is always the same. An event record with its fields represents an event with its assigned attributes, whereas the event trace file represents the dynamic behavior as a stream of events.