Summary: Microsoft Scripting Guy, Ed Wilson, talks about exporting queries from the event log tool.
Microsoft Scripting Guy, Ed Wilson, is here. It has long been a truism (at least with things related to computers): powerful is opposite of simple. I can have a tool that is powerful, but with that power comes complexity. When that complexity is so complex as to render the tool ridiculously hard to use, the tool rapidly becomes useless.
What is awesome is when a tool is extremely powerful and also very easy to use. Of course, this usually means that the tool makes lots of default choices for me. If those default choices are intelligent, I really don’t care. Microsoft Word is sort of like that. I mean, the default document template makes tons of choices. Usually, I do not care about the exact spacing between paragraphs, the default Tab stop, column width, or page length. Usually…
Of course, when I have to modify those things, I know I am probably going to have to set aside all day.
The Windows PowerShell cmdlet Get-WinEvent is often perceived to be such a tool. It is way powerful—but it is also more complicated to use, than for example, the Get-EventLog cmdlet. The problem with Get-EventLog is that it only works for legacy event logs. For all the newer (new as in Windows Vista era—so not really all that new at all) types of logs, I need to use Get-WinEvent. Because Get-WinEvent also works with legacy event logs, I have completely quit using the Get-EventLog cmdlet. This forces me to learn how to use the Get-WinEvent cmdlet.
One problem with the Get-WinEvent cmdlet, is at first glance, it is hard to figure out how to filter the results. It is a truism, that for performance sake, I filter to the left of the pipeline character. So this means that I do not use Get-WinEvent to return everything and then pipe it to the Where-Object.
This is especially true with some logs that return thousands of records. But how do I filter, for example, on an Event ID? Here is the syntax that shows the various parameter sets (ways of using the cmdlet):
PS C:\> Get-Command Get-WinEvent -Syntax
Get-WinEvent [[-LogName] <string[]>] [-MaxEvents <long>] [-ComputerName <string>] [-Credential
<pscredential>] [-FilterXPath <string>] [-Force] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ListLog] <string[]> [-ComputerName <string>] [-Credential <pscredential>] [-Force]
[<CommonParameters>]
Get-WinEvent [-ListProvider] <string[]> [-ComputerName <string>] [-Credential <pscredential>]
[<CommonParameters>]
Get-WinEvent [-ProviderName] <string[]> [-MaxEvents <long>] [-ComputerName <string>] [-Credential
<pscredential>] [-FilterXPath <string>] [-Force] [-Oldest] [<CommonParameters>]
Get-WinEvent [-Path] <string[]> [-MaxEvents <long>] [-Credential <pscredential>] [-FilterXPath
<string>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-FilterXml] <xml> [-MaxEvents <long>] [-ComputerName <string>] [-Credential
<pscredential>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-FilterHashtable] <hashtable[]> [-MaxEvents <long>] [-ComputerName <string>]
[-Credential <pscredential>] [-Force] [-Oldest] [<CommonParameters>]
From this, there are basically three ways of filtering:
- Via XML
- Via a hash table
- Via XPath
Dude!!!
The easy way to an XPath query
Believe it or not, the easy way to filter the results of Get-WinEvent is with XPath. This is because I can use the Event Viewer to create my query for me. To do this, I open the Event Viewer, right-click the log, and choose Filter Current Log from the action menu. I then use the check boxes, drop-down lists, and text boxes to filter the content of the selected log. This is shown in the following image:
I then click the XML tab to look at the query. This is shown here:
Now I select the Edit query manually check box. This permits me to highlight the query. I always copy the query and paste it into Notepad. When I have the query in Notepad, I select the Path portion of the query:
I open the Windows PowerShell ISE, create my query, and add a line for my Get-WinEvent cmdlet:
$xpath = "*[System[(Level=2) and (EventID=35)]]"
Get-WinEvent -LogName application -FilterXPath $xpath
And that is the easy way to query a log by using the Get-WinEvent cmdlet.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
0 comments