Filtering Windows event log for text in Data field

Posted on 2014-09-26
Last Modified: 2015-05-29
In a Windows event log (Win 8.1), I want to filter a log file for a substring in the Data field. What's the easiest way to do this (preferably in the Event Viewer with a custom view)?
Question by:BlearyEye
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3

Expert Comment

ID: 40345839
You could try to achieve this with XML filters.

Advanced XML filtering in the Windows Event Viewer

If you're familiar with PowerShell, you can also try it that way.


Author Comment

ID: 40345863
I saw the first link when I was poking around. But I don't see how to filter Data for a substring.

I've used PowerShell enuf to be somewhat dangerous but I don't know how to do the query I'm looking for.

Expert Comment

ID: 40346026
I'm sorry i was wrong with "Get-Event"... it should have been "Get-EventLog".


Sadly i couldn't get a substring to work with the XML Filter, but maybe the PowerShell way will work.

I have an Event with the word "NtpClient" in the Message field.

I used the following command to query ("Ntp" as a substring of NtpClient) from the System EventLog .
> Get-EventLog -LogName System -Message "*Ntp*"

Does that help you in any way?

If that is not what you were looking for, then please be more specific about what you would like to achieve.
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Author Comment

ID: 40352119
Sorry for the delay. The PS command helps. It truncates the message however, and only displays a limited number of columns. Any idea how to get everything?

Assisted Solution

Psymonious earned 500 total points
ID: 40356772
I hadn't much this to go deeper, but this could help to get full information.
Get-EventLog -LogName System -Message "*Ntp*" | Format-List *

Accepted Solution

BlearyEye earned 0 total points
ID: 40356986
Yes, that does get the whole Data element, including newlines. (Oddly, Get-EventLog renames the elements so that Data becomes Message, EventRecordID becomes Index ...)

The format isn't very readable however. I'd like to be able to output it as a file to view in Excel. Outputting to CSV is tricky since the message data sometimes has newlines and outputting to XLS also seems difficult.

After some playing around, here's what seems to do the job for me:
Get-EventLog -LogName thelogname | select TimeGenerated, Index, EventId, Category, MachineName, EntryType, Message  | Out-GridView

Open in new window

GridView is limited but may be enough. It shows newlines fine. I can pre-select events of interest in GetEventLog and further filter & sort in GridView.

Author Closing Comment

ID: 40802072
i came to with the final answer, with help from others.

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question