![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-6-4-14-01.png\" "\\"Image")
<\/a><\/p>\nIt is possible to improve this situation, and to filter only on a specific application. This is because the data is stored in the Event Data<\/strong> portion of the message. This section appears when I select XML View<\/b> from the Details<\/b> tab, as shown here:<\/p>\n I can use this information to create a custom XML query by clicking Filter Current Log<\/b>, clicking XML<\/b>, and then clicking the Edit query manually <\/b>check box. This is shown here:<\/p>\n In fact, this process outlines my process for creating a custom XML filter to filter the event log. I select as much as I need by using the graphical tools, then I edit the XML query manually in the dialog box. The advantage is that if I do not get the query correct, it does not display any records, it displays the incorrect records, or it tells me my query is invalid. At least that is what happens to me.<\/p>\n But I do not directly edit the query in the dialog box because if I get it wrong the first time, I have messed up my query. So I copy the autogenerated XML filter and paste it for safe keeping in a blank Notepad. I then edit the query. If I mess it up, I simple return to Notepad, retrieve my previous query, and start over. Simple.<\/p>\n When I was rummaging around in the Event Viewer, I noticed that several of the hangs were caused by Lync.exe. So, I thought I would create a custom query to look for those instances. To do this, I need to get into the Event Data<\/strong> node and look for Lync<\/strong>.<\/p>\n After I create a generic XML query by using the GUI tools, I copy the query, and turn it into a here string. Here is the basic query:<\/p>\n <QueryList><\/p>\n <Query Id="0" Path="Application"><\/p>\n <Select Path="Application">*[System[Provider[@Name='Application Hang'] and (Level=2) and (EventID=1002)]] <\/Select><\/p>\n <\/Query><\/p>\n <\/QueryList><\/p>\n To make it a here string, I add @” <\/b>and “@ <\/b>around the string, and I assign it to a variable. Now I need to access EventData<\/b> and the first data that is equal to Lync.exe<\/b>. I add it after EventID=1002)]]<\/b> by using and to bring them together. Here is the completed query.<\/p>\n $query = @"<\/p>\n <QueryList><\/p>\n <Query Id="0" Path="Application"><\/p>\n <Select Path="Application">*[System[Provider[@Name='Application Hang']<\/p>\n and (Level=2) and (EventID=1002)]]<\/p>\n and *[EventData[Data='lync.exe']]<\/Select><\/p>\n <\/Query><\/p>\n <\/QueryList><\/p>\n "@<\/p>\n To run it, all I do is call the Get-WinEvent<\/b> and pass it to the $query<\/b> parameter as a value for –FilterXML<\/b>. This is shown here:<\/p>\n Get-WinEvent -FilterXml $query <\/p>\n The command and the results are shown in the following image:<\/p>\n Without using XML, someone may come up with a command something like the following:<\/p>\n Get-WinEvent -LogName application |<\/p>\n where { $_.providername -eq 'application hang' -and<\/p>\n $_.level -eq 2 -and<\/p>\n $_.ID -eq 1002 -and<\/p>\n $_.message -match 'lync.exe'}<\/p>\n It works, and it gets the job done. But what about the results?<\/p>\n Although the command seems to work pretty well, I will use Measure-Command<\/b> to see how well. To do this, I add the command to a script block for Measure-Command<\/b>. Here is what it looks like:<\/p>\n Measure-Command {Get-WinEvent -LogName application |<\/p>\n where { $_.providername -eq 'application hang' -and<\/p>\n $_.level -eq 2 -and<\/p>\n $_.ID -eq 1002 -and<\/p>\n $_.message -match 'lync.exe'} }<\/p>\n The results? It takes 10.16 seconds as shown here:<\/p>\n And now for the XML query…<\/p>\n $query = @"<\/p>\n <QueryList><\/p>\n <Query Id="0" Path="Application"><\/p>\n <Select Path="Application">*[System[Provider[@Name='Application Hang']<\/p>\n and (Level=2) and (EventID=1002)]]<\/p>\n and *[EventData[Data='lync.exe']]<\/Select><\/p>\n <\/Query><\/p>\n <\/QueryList><\/p>\n "@<\/p>\n Measure-Command {Get-WinEvent -FilterXml $query }<\/p>\n The results take a mere 0.07 second. This is an amazing speed increase. Here is an image of the script and the output:<\/p>\n Although this is a great performance, and it makes me happy on my laptop, suppose I was trying to run the command against a thousand computers. That ten seconds stretches into over two and a half hours. I spent less than five minutes making the query. So five minutes to save ten seconds is not a great investment. But five minutes dev time to save over two and a half hours is a great ROI.<\/p>\n Spend a little time to work out the syntax for XML filters by using Get-WinEvent<\/b>. This is an area where a bit of investment in learning will pay off handsomely in the future.<\/p>\n That is all there is to using Get-WinEvent<\/b> and an XML filter to parse the event log message data. Event Log Week will continue tomorrow when I will talk about more cool stuff.<\/p>\n I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Get-WinEvent in Windows PowerShell with FilterXML to parse event logs. Microsoft Scripting Guy, Ed Wilson, is here. Today I am sipping a cup of English Breakfast tea. In my pot, I decided to add a bit of spearmint, peppermint, licorice root, lemon peel, orange peel, and […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,4,45,165],"class_list":["post-1256","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-xml"],"acf":[],"blog_post_summary":" Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Get-WinEvent in Windows PowerShell with FilterXML to parse event logs. Microsoft Scripting Guy, Ed Wilson, is here. Today I am sipping a cup of English Breakfast tea. In my pot, I decided to add a bit of spearmint, peppermint, licorice root, lemon peel, orange peel, and […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/1256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=1256"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/1256\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=1256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=1256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=1256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/p>\n<\/a><\/p>\nLooking for instances of LYNC hangs<\/h2>\n
<\/a><\/p>\nWithout using XML<\/h2>\n
<\/a><\/p>\n<\/a><\/p>\n