Solved

Creating Script to Search Text-based Log File for Strings then Output Timestamp for Each

Posted on 2016-08-08
2
20 Views
Last Modified: 2016-09-21
Hey Guys -

I need some assistance creating a script, please, and really don't know where to begin...

What I'm Trying to Do
What I'd like to do is create a script which would prompt you for a hostname, then search a single log file for about 8 different unique strings which represent milestones of the process.  Once each string is found, it should save the timestamp from that line until all have been found.  Finally, it should output a list of the predefined milestones and place the captured timestamps next to each.  Below is an example of the type of output I'm looking for:

Script Output Example
System Hostname: Workstation1
System Build Started at 1:27pm
- UDI Starts:                    1:28pm
- UDI Completes:           1:50pm
- Downloading WIM:     2:41pm
- WIM Applied to Disk:  3:32pm
etc...

I've played around with a few things with PowerShell so far and can find certain strings and save them as variables, but can't figure out how to tell PS to save the timestamp into a variable yet. :(

Explanation
The vast majority of work I do is with SCCM in which almost everything has its own log file as the client on each workstation alone has 120+ log files.  For those not familiar with OSD, the primary log file it uses is named smsts.log which is easy to read when viewed in CMTrace, but when viewed with a text editor is formatted as shown below:

Snippet of smsts.log When Viewed in Text Editor
<![LOG[Disable: ]LOG]!><time="12:22:26.701+360" date="08-08-2016" component="TSManager" context="" type="1" thread="1528" file="tsxml.cpp:488">
<![LOG[Run in attribute: WinPEandFullOS]LOG]!><time="12:22:26.701+360" date="08-08-2016" component="TSManager" context="" type="1" thread="1528" file="tsxml.cpp:496">
<![LOG[Timeout: ]LOG]!><time="12:22:26.701+360" date="08-08-2016" component="TSManager" context="" type="1" thread="1528" file="tsxml.cpp:500">
<![LOG[DefaultVarlist found]LOG]!><time="12:22:26.701+360" date="08-08-2016" component="TSManager" context="" type="1" thread="1528" file="tsxml.cpp:583">
<![LOG[No variables found in default variable list]LOG]!><time="12:22:26.701+360" date="08-08-2016" component="TSManager" context="" type="1" thread="1528" file="tsxml.cpp:610">

Open in new window

As you can see, there is a format to each line which includes the type of message, timestamp, the message, etc.  This log file is located in the same place on all workstations at "C:\Windows\CCM\smsts.log"

I've gone through a few of these logs from different systems and located common log entries for each major milestone of the OSD process.  For example, searching the log for the line that includes "Installing software for PackageID='AHS000F3'" will only result in one line and would represent a certain application being installed.  So far, I've identified a unique string for each of the 8 milestones I have planned for.

Extra Credit
I don't know how much more difficult this would be, but if possible to take it one step further and instead of listing the timestamp, listing the 1st milestone as 0:00:00 and then each milestone thereafter displaying just the difference in time between it occurring and when it started (so you can see exactly how long it too to reach certain stages without math), that would be ideal.  If you have an idea for how to do that without too much additional scripting please fill me in.

Thanks Guys - I appreciate the help!
0
Comment
Question by:BzowK
  • 2
2 Comments
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points (awarded by participants)
Comment Utility
This should do the trick.
If you pass it an array with patterns to match against the log content, it will only list the matching entries.
It writes custom objects with the properties ComputerName, Time, Offset, Component, File, Log to the pipeline, from where you can process them further.
Example (yes, it actually is 'exeuction'):
Get-Content .\clients.txt | .\Import-Smsts.ps1 -Verbose -FilterLog 'Installing software for PackageID*', 'The task exeuction engine successfully completed*' | Export-Csv C:\Temp\smsts.csv

Open in new window

[CmdletBinding()]
Param(
	[Parameter(ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, Position=0)]
	[String[]]$ComputerName = @($ENV:ComputerName),
	[String]$Path = "${ENV:SystemRoot}\CCM\Logs\smsts.log",
	[String[]]$FilterLog = @()
)
Begin {
	$Write = $True
}
Process {
	ForEach ($Computer In $ComputerName) {
		"Processing $($Computer) ..." | Write-Verbose
		$OffsetStart = $Null
		$FullPath = If ($Computer -eq $ENV:ComputerName) {$Path} Else {"\\$($Computer)\$($Path.Replace(':', '$'))"}
		$Content = Get-Content -Path $FullPath -Raw -ErrorAction Stop
		[regex]::Matches($Content, '<!\[LOG(?<open>\[)(?<Log>.*?)(?<-open>])LOG]!>(?<open><)(?<Properties>.*?)(?<-open>>)', 'SingleLine') | ForEach-Object {
			$Groups = $_.Groups | Select-Object -ExpandProperty Value
			$Properties = [regex]::Matches($Groups[3], '\S+=".*?"') | Select-Object -ExpandProperty Value | ConvertFrom-StringData
			[void]($Properties.time.Trim('"') -match '(?<Time>.*\+|-)(?<Offset>.*)')
			$LocalTime = [DateTime]::ParseExact(($Properties.date.Trim('"') + ' ' + $Matches['Time'] + [string]([int]$Matches['Offset'] / 60)), 'MM-dd-yyyy HH:mm:ss.fffz', $Null)
			If ($FilterLog) {
				$Write = $False
				ForEach ($Pattern In $FilterLog) {
					If ($Groups[2] -like $Pattern) {
						$Write = $True
						Break
					}
				}
			}
			If ($Write) {
				If (-not $OffsetStart) {
					$OffsetStart = $LocalTime
				}
				New-Object -TypeName PSObject -Property ([ordered]@{
					'ComputerName' = $Computer
					'Time' = $LocalTime
					'Offset' = $LocalTime - $OffsetStart
					'Component' = $Properties.component.Trim('"')
					'File' = $Properties.file.Trim('"')
					'Log' = $Groups[2]
				})
			}
		}
	}
}
End {
}

Open in new window

0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Reasonably certain that the script provided parses the log files as required, including the time offset.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now