Solved

get-winevent -path query

Posted on 2011-03-08
10
1,491 Views
Last Modified: 2012-05-11
hi Experts!

From a saved event log (of Application) I tried the following ps1 to select the evtx file:

function RemoveBlankSpaces ([string]$streng) {
        [string]$Temp = ((($streng -Replace "`r|`n|`t", "") -replace "\s{2,100}"," ") -replace "\s:",":").Trim()
        $Length = $Temp.length
        [int] $Limit = 950
        if ($length -gt $Limit) {
                return $temp.remove($Limit,($Length-$limit))
        } else {
                return $temp
        }
}
$out = @()
$evts = get-winevent -path "C:\Data\CustomLog\CustomLogapp01-07-2011@17-51-29.evtx"  
foreach($evt in $evts){
$mess = RemoveBlankSpaces($evt.Message)
#$out += "$($evt.ProvideName),$($EntryType),$($evt.TimeCreated),$mess"
$out += "$($evt.*)"
}
$out | out-file -filepath .\error.txt

Open in new window

However,

in the error.txt file I would get this:

,,12/29/2010 14:15:06,
,,12/29/2010 14:15:06,
,,12/29/2010 14:15:06,

The source name, error type and message are missing.

Any idea how to correct the script above?
0
Comment
Question by:allanau20
  • 7
  • 2
10 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 35083330

You have a typo for ProviderName (missing an R, you have ProvideName).

$EntryType is defined as a variable, and has no value in the script above. Did you mean $_.EntryType? And does that property actually exist in your output?

I can't really see a problem with $mess, it works for me.

I suggest you consider a structure like this though:
Get-WinEvent -path "C:\Data\CustomLog\CustomLogapp01-07-2011@17-51-29.evtx" |
  Select-Object ProviderName, EntryType, TimeCreated, @{n='Message';e={ RemoveBlankSpaces($_.Message) }} |
  Export-Csv "error.csv" -NoTypeInformation

Open in new window

Chris
0
 
LVL 5

Author Comment

by:allanau20
ID: 35085168
Super Chris; I will definitely try it and let you know. Thx!
0
 
LVL 5

Author Comment

by:allanau20
ID: 35086635
hi Chris,

I ran it and now I do see the ProviderName. However, the EntryType is blank and the Message is mostly blank. What I mean is that, and this is what I think, event messages that looks like it's on a single line does get displayed, but if it's broken into multiple lines then it doesn't get displayed.
Then again, I noticed that there might be some exception where the following has only first 4 lines displayed:

Event code: 3001
Event message: The request has been aborted.
Event time: 12/29/2010 7:42:50 AM
Event time (UTC): 12/29/2010 5:42:50 PM
Event ID: fec46fa7242247c1831f2e642274a764
Event sequence: 819
Event occurrence: 2
Event detail code: 0

Any ideas? TIA!!
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 5

Author Comment

by:allanau20
ID: 35086671
Hi Chris,

I even tried not using the message function and the results are the same:

  Select-Object ProviderName, EntryType, TimeCreated, Message  |
0
 
LVL 5

Author Comment

by:allanau20
ID: 35089810
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35093219

EntryType doesn't exist as a property in the logs I have. I suggest you check that it does for yours with:

Get-WinEvent ... -MaxEvents 1 | Format-List *

Message... start by checking you can capture the message as normal, then it's time to test the function you've written. I didn't do a lot of testing there, it worked fine for the one example I tried, but it was only one.

Chris
0
 
LVL 5

Author Comment

by:allanau20
ID: 35203890
Hi,

Just want to let you know that I haven't forgotten this question; apparent Get-WinEvent doesn't work on me XP puter; so waiting for a R2 to being build. Will let you know. Thx!
0
 
LVL 5

Author Comment

by:allanau20
ID: 35494580
sorry; I haven't ababdon this question ... it's a pain waiting for the box to be built ...
0
 
LVL 5

Author Comment

by:allanau20
ID: 35494588
I will definite let you know ... and not abandon this question. Thanks!
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help you understand what HashTables are and how to use them in PowerShell.
A procedure for exporting installed hotfix details of remote computers using powershell
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question