In a Windows event log (Win 8.1), I want to filter a log file for a substring in the Data field. What's the easiest way to do this (preferably in the Event Viewer with a custom view)?
You could try to achieve this with XML filters.

Advanced XML filtering in the Windows Event Viewer

If you're familiar with PowerShell, you can also try it that way.

BlearyEyeAuthor Commented:
I saw the first link when I was poking around. But I don't see how to filter Data for a substring.

I've used PowerShell enuf to be somewhat dangerous but I don't know how to do the query I'm looking for.
I'm sorry i was wrong with "Get-Event"... it should have been "Get-EventLog".


Sadly i couldn't get a substring to work with the XML Filter, but maybe the PowerShell way will work.

I have an Event with the word "NtpClient" in the Message field.

I used the following command to query ("Ntp" as a substring of NtpClient) from the System EventLog .
> Get-EventLog -LogName System -Message "*Ntp*"

Does that help you in any way?

If that is not what you were looking for, then please be more specific about what you would like to achieve.
BlearyEyeAuthor Commented:
Sorry for the delay. The PS command helps. It truncates the message however, and only displays a limited number of columns. Any idea how to get everything?
I hadn't much this to go deeper, but this could help to get full information.
Get-EventLog -LogName System -Message "*Ntp*" | Format-List *
BlearyEyeAuthor Commented:
Yes, that does get the whole Data element, including newlines. (Oddly, Get-EventLog renames the elements so that Data becomes Message, EventRecordID becomes Index ...)

The format isn't very readable however. I'd like to be able to output it as a file to view in Excel. Outputting to CSV is tricky since the message data sometimes has newlines and outputting to XLS also seems difficult.

After some playing around, here's what seems to do the job for me:
Get-EventLog -LogName thelogname | select TimeGenerated, Index, EventId, Category, MachineName, EntryType, Message  | Out-GridView

Open in new window

GridView is limited but may be enough. It shows newlines fine. I can pre-select events of interest in GetEventLog and further filter & sort in GridView.

BlearyEyeAuthor Commented:
i came to with the final answer, with help from others.
