May 2nd, 2012

How Can I Use the Out-GridView Cmdlet to Search Event Logs?

Doctor Scripto
Scripter

Summary: Learn how to use a simple Windows PowerShell cmdlet to search event logs for errors.

Hey, Scripting Guy! Question Hey, Scripting Guy! I was at a recent SQL Saturday event, and there was a person there (unfortunately, I do not remember his name) who was talking about Windows PowerShell. In his talk, he showed something that was pretty cool. It seemed like he created a pivot table on the fly. He was able to sort and filter stuff to find specific information. I do not remember what that was called either. Is this something that is built-in to Windows PowerShell? Is it in Windows PowerShell 2.0 or only in the version 3 beta? Or is this something that he created himself?

—JD

Hey, Scripting Guy! Answer Hello JD,

Microsoft Scripting Guy, Ed Wilson, is here. This has already been one of the greatest weeks ever. The Scripting Wife and I are in Virginia Beach, Virginia where I am speaking at the Mark Minasi Conference. I got to meet up with an old friend the other day, and we had dinner together. I had not seen Dan for more than 30 years. We reestablished our friendship over Facebook, and because he lives in Virginia Beach, we thought it would be an awesome time to meet again. Don Jones is also here at the conference speaking, so we have had a lot of fun hanging out with him. Of course, Mark Minasi is here, and it is always a lot of fun to see him again. If it was only Dan, Don, and Mark, the week would be worth it. But the sessions have been awesome, and it has been great to have the high level of interaction with people this week.

Right now, we have a break, and I am sitting in a corner, sipping on a cup of “generic” green tea (it just says “green”), and I am also listening to Don Giovanni on my Zune while I take the opportunity to catch up on some of the email sent to scripter@microsoft.com. I will admit that I miss my tea pot and my stash of Gunpowder Green Tea (which I picked up in New York City while the Scripting Wife and I toured China Town with Rich Prescott).

Anyway JD, with Windows PowerShell, you can do anything. But if I had to guess, I would think that the presenter demonstrated using the Out-GridView cmdlet. For one thing, Out-GridView makes for a great demonstration. For another thing, Out-GridView is very useful—especially for admin types or for others who need to drill-down into potential problem areas.

It is very useful to use the Out-GridView cmdlet to aid in parsing event logs. For example, the following command obtains all of the events from the Application log and pipes the resulting EventLog entry objects to the Out-GridView cmdlet for further processing.

Get-EventLog application | Out-GridView

At first glance, the output appears a bit overwhelming. The nice thing about the command is that it retrieves information and displays it in the grid much faster than opening the Event Viewer. One reason for this apparent performance increase is that the Windows PowerShell command only retrieves information from one specific event log; whereas, the Event Viewer has many more touch points to address. The resulting GridView control appears in the image that follows.

Image of command output

After the grid contains the event log information, use the Filter or the Criteria parameter to filter the displayed data. By using the Filter parameter, you can easily search for text anywhere it might appear in the grid. By using a simple filter like AppCrash, you retrieve any events from the Windows Application log that contain the letters AppCrash anywhere in the event log record. The image that follows illustrates this technique.

Image of command output

If you know which column contains the information you seek, there are a couple of options available. You can use the column name with a colon separator and the search value to limit the search to a specific column. If you use two column names and values, the two filter parameters are anded together—that is, the filter uses both values in the search, and the results must meet both values to display. The filter, that is shown here looks for event log entries that are of the type Information and records that have an instance ID of 1001.

entrytype:information instanceID:1001

The filter applies dynamically to the output in the GridView control. When the typing is complete, the following displays in the control.

Image of command output

When you have completed searching through the data, pressing the red X in the upper-right corner removes the filter and returns all of the unfiltered event log data to the control.

JD, that is all there is to using the Out-GridView cmdlet to filter event log data. Join me tomorrow when I will talk about using search criteria to filter information in the GridView control.   

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Author

The "Scripting Guys" is a historical title passed from scripter to scripter. The current revision has morphed into our good friend Doctor Scripto who has been with us since the very beginning.

0 comments

Discussion are closed.