{"id":12091,"date":"2011-11-14T00:01:00","date_gmt":"2011-11-14T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/11\/14\/use-custom-views-from-windows-event-viewer-in-powershell\/"},"modified":"2011-11-14T00:01:00","modified_gmt":"2011-11-14T00:01:00","slug":"use-custom-views-from-windows-event-viewer-in-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-custom-views-from-windows-event-viewer-in-powershell\/","title":{"rendered":"Use Custom Views from Windows Event Viewer in PowerShell"},"content":{"rendered":"

Summary:<\/strong> Learn how to use Event Viewer custom views in Windows PowerShell to parse event logs quickly.<\/span><\/span><\/p>\n

 <\/span><\/p>\n

\"Hey,<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>Hey, Scripting Guy! I love Windows 7. It absolutely rocks! One of the things I love about Windows 7, in addition to Windows PowerShell, is the new Event Viewer. I have created a custom view in my Event Viewer. I exported that custom view, and when I try to use it in the Get-WinEvent<\/b> cmdlet, it fails. Can you help me? I would love to be able to use Windows PowerShell to parse my custom view of the event logs. I know you can do this because you are the greatest!<\/span><\/p>\n

—LD<\/span><\/p>\n

 <\/span><\/p>\n

\"Hey,<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>Hello LD, <\/span><\/p>\n

Microsoft Scripting Guy Ed Wilson here. I agree with you, at least on two counts. I also love Windows PowerShell 7 and the new Event Viewer. The Windows PowerShell Get-WinEvent<\/b> cmdlet is also very powerful, and provides lots of opportunities for experimentation. I have written many articles about <\/span>using the Get-WinEvent<\/b> cmdlet<\/a> on the Hey, Scripting Guy! Blog. <\/span><\/span><\/p>\n

So, let’s see what exactly you are talking about when it comes to exporting a custom view from the Event Viewer application. As shown in the following figure, when I open the Event Viewer, the top portion in the upper left section of the screen contains Custom Views.<\/i> <\/span><\/p>\n

\"Image<\/a><\/span><\/p>\n

To create a custom view, I select Create Custom View<\/b> <\/i>from the Action<\/b> pane and the Create Custom View<\/b> <\/i>interface is displayed. This dialog box is shown in the following figure.<\/span><\/p>\n

\"Image<\/a><\/span><\/p>\n

After I save the custom view, I can export it to XML by selecting the custom view, and clicking Export Custom View<\/b> <\/i>in the Action<\/b> menu. This technique works great for exporting custom event log views either for backup purposes, or to use on other computers via the Event Viewer application. Unfortunately, it does not work when I attempt to import it via the Get-WinEvent<\/b> cmdlet:<\/span><\/p>\n

Get-WinEvent -FilterXml ([xml](Get-Content C:\\fso\\exportedCustomView.xml))<\/span><\/p>\n

The command and associated error are shown in the following figure.<\/span><\/p>\n

\"Image<\/a><\/span><\/p>\n

The reason the error is generated is because Export Custom View<\/b> <\/i>includes additional information required by the Event Viewer to create and host the custom event view. What the Get-WinEvent<\/b> cmdlet requires is the <QueryList><\/b> information. <\/span><\/p>\n

To find the <QueryList><\/b> information, I click Filter Current Custom View<\/b> <\/i>in the Action<\/b> menu. When the Filter Current Custom View<\/b> dialog box appears, I click the XML<\/b> tab. This displays the <QueryList><\/b> information, as shown in the following figure.<\/span><\/p>\n

<img style="border: 0px;" title="Image of information” alt=”Image of information” src=”https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6320.hsg-11-14-11-4.png” original-url=”http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550×0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-76-18\/6320.hsg_2D00_11_2D00_14_2D00_11_2D00_4.png” \/><\/a><\/span><\/p>\n

There is no copy button, even if you select the Edit query manually<\/b> check box. But I can easily highlight everything with my mouse, and press Ctrl+C to copy the selection to the Clipboard. After I have copied the information to the Clipboard, I create a new text file, paste the contents, and save it with a .xml file extension. The following figure shows the contents of the custom event log view.<\/span><\/p>\n

\"Image<\/a><\/span><\/p>\n

After I have only the <QueryList><\/b> information in a text file, I can now use the exact same command I used previously, but this time it works. The command I use is shown here:<\/span><\/p>\n

Get-WinEvent -FilterXml ([xml](Get-Content C:\\fso\\Past24CustomView.xml))<\/span><\/p>\n

The command and associated output are shown in the following figure.<\/span><\/p>\n

\"Image<\/a><\/span><\/p>\n

Here are the steps I use:<\/span><\/p>\n

    \n
  1. Create a custom view in the Event Viewer utility.<\/span><\/span><\/li>\n
  2. Display the <QueryList><\/b> information from the custom view by clicking Filter Custom View<\/b> from in the Action<\/b> menu.<\/span><\/span><\/li>\n
  3. Click the XML<\/b> tab.<\/span><\/span><\/li>\n
  4. Highlight the <QueryList><\/b> information with your mouse, and press Ctrl+C to copy the <QueryList><\/b> data to the Clipboard.<\/span><\/span><\/li>\n
  5. Open Notepad and paste the information from the Clipboard into the new text file.<\/span><\/span><\/li>\n
  6. Save the file with a .xml file extension.<\/span><\/span><\/li>\n
  7. Use the Get-Content<\/b> cmdlet to read the contents of the XML file.<\/span><\/span><\/li>\n
  8. Cast the returned data to {XML]<\/b> type and pass it to the FilterXML <\/i>parameter of the Get-WinEvent<\/b> cmdlet.<\/span><\/span><\/li>\n<\/ol>\n

    That is it. It seems like a lot of steps, but they are pretty logical. In addition, this provides an excellent way to process data quickly from multiple event logs. <\/span><\/p>\n

    LD, that is all there is to using a custom view from Event Viewer in a Windows PowerShell cmdlet. Join me tomorrow for more exciting Windows PowerShell tricks. <\/span><\/p>\n

     <\/span><\/p>\n

    I invite you to follow me on <\/span>Twitter<\/a> and <\/span>Facebook<\/a>. If you have any questions, send email to me at <\/span>scripter@microsoft.com<\/a>, or post your questions on the <\/span>Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/span><\/span><\/p>\n<\/p>\n

    Ed Wilson, Microsoft Scripting Guy<\/b><\/span><\/p>\n

    <\/span> <\/p>\n

     <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    Summary: Learn how to use Event Viewer custom views in Windows PowerShell to parse event logs quickly.   Hey, Scripting Guy! I love Windows 7. It absolutely rocks! One of the things I love about Windows 7, in addition to Windows PowerShell, is the new Event Viewer. I have created a custom view in my […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,45],"class_list":["post-12091","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

    Summary: Learn how to use Event Viewer custom views in Windows PowerShell to parse event logs quickly.   Hey, Scripting Guy! I love Windows 7. It absolutely rocks! One of the things I love about Windows 7, in addition to Windows PowerShell, is the new Event Viewer. I have created a custom view in my […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/12091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=12091"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/12091\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=12091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=12091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=12091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}