FIlter Event logs via powershell

Morning all

So, I'm running the code

Get-WinEvent -LogName Microsoft-Windows-Deduplication/operational| where ID -EQ "4134" | Select-Object Message -ExpandProperty Message 

Open in new window


Which is fine, however I want to filter a single line out and only display

File path:

This is so I can robocopy the files out and back in again. How can I filter on the response text?

Thanks
Alex
LVL 20
Alex GreenProject Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
First thing to do is to correct your filter. Always filter as close to the source as possible. Currently, you're retrieving each and every event in that log, passing it to PS, and then filtering there. Use the -FilterHashtable argument instead with this filter:
$filter = @{Id=4134; LogName='Microsoft-Windows-Deduplication/operational';}

Open in new window

The best way is probably not to parse the message text, but to retrieve the path from the event XML. Please run
$filter = @{Id=4134; LogName='Microsoft-Windows-Deduplication/operational';}
(Get-WinEvent -FilterHashtable $filter -MaxEvents 1) .ToXml()| clip.exe

Open in new window

This will put the latest event as XML into the clipboard. Paste it into your favorite editor, replace any sensitive information, and post it here.
Alex GreenProject Systems EngineerAuthor Commented:
oBdA

Here is the output

Error-specific details:
   Error: ReadFile(\\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\System Volume Information\Dedup\ChunkStore\{07C770BC-E0D5-42E5-B1A9-25978E2ACDEF}.ddp\Data\000000d6.00040000.ccc, Offset 8192 (0x2000), Data 000000A44DE8DA00, DataSize 512 (0x200), ...), 0x80070026, Reached the end of the file.
</Data><Data Name='DebugInfo'>Code: CSTUTILS.00000178; Call: CSTUTILS.00000146; CMD: C:\WINDOWS\SYSTEM32\FSDMHOST.EXE {3c5ac968-c7ee-4494-86f9-fd1d870987b8} 4fe7495b-51e3-4f6f-95d8-4d2a56229a60 348eab9b-ec9e-43ea-a335-61d2e11faf71 OptimizationJob       ; User: Name: NT AUTHORITY\SYSTEM, SID:S-1-5-18 </Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Deduplication' Guid='{F9FE3908-44B8-48D9-9A32-5A763FF5ED79}'/><EventID>4134</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2018-11-30T21:56:45.664344200Z'/><EventRecordID>214349</EventRecordID><Correlation/><Execution ProcessID='33560' ThreadID='26380'/><Channel>Microsoft-Windows-Deduplication/Operational</Channel><Computer>server003.uk.domain.net</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Context'>

Operation:
   Preparing a chunk store container for chunk insertion.
   Opening an existing chunk store container.
   Inserting a new chunk to a chunk store stream.
   Inserting a new chunk to a chunk store stream.
   Running the deduplication job.

Context:
   File offset: 4096
   File name: \\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\System Volume Information\Dedup\ChunkStore\{07C770BC-E0D5-42E5-B1A9-25978E2ACDEF}.ddp\Data\000000d6.00040000.ccc
   Chunk store: \\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\System Volume Information\Dedup\ChunkStore\{07C770BC-E0D5-42E5-B1A9-25978E2ACDEF}.ddp\Data
   File path: k:\ADH\Omitted\AppData\Microsoft\Web Server Extensions\Cache\FIle.web
   Volume name: K: (\\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\)

Open in new window


I'm wanting just the file path :-)
oBdACommented:
Sorry, somehow, a space ended up where it didn't belong (between the closing round bracket and ".ToXml()"; please try again:
$filter = @{Id=4134; LogName='Microsoft-Windows-Deduplication/operational';}
(Get-WinEvent -FilterHashtable $filter -MaxEvents 1).ToXml() | clip.exe 

Open in new window

CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Alex GreenProject Systems EngineerAuthor Commented:
Yeah I noticed that, so I sorted it :D

I did post the reply up

Thanks
Alex
oBdACommented:
I'm looking for the full plain XML The XML you posted above is only valid if lines 3 and 4 are swapped, and the context node is empty.
Alex GreenProject Systems EngineerAuthor Commented:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Deduplication' Guid='{F9FE3908-44B8-48D9-9A32-5A763FF5ED79}'/><EventID>4134</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2018-12-01T16:53:14.445316700Z'/><EventRecordID>214866</EventRecordID><Correlation/><Execution ProcessID='22096' ThreadID='30716'/><Channel>Microsoft-Windows-Deduplication/Operational</Channel><Computer>Server.domain.net</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Context'>

Operation:
   Compact Data Containers
   Starting deep garbage collection on data containers.
   Deep garbage collection initialization has started.
   Running the deduplication garbage collection job.

Context:
   File name: \\?\Volume{9cad07de-88f4-48ca-8243-8838d2addae6}\System Volume Information\Dedup\ChunkStore\{57ACF9BF-F4A2-4B01-A375-D3892C39B514}.ddp\Data\00000155.001c0000.ccc
   File name: \\?\Volume{9cad07de-88f4-48ca-8243-8838d2addae6}\System Volume Information\Dedup\ChunkStore\{57ACF9BF-F4A2-4B01-A375-D3892C39B514}.ddp\Data\00000155.001b0000.ccc
   Volume name: \\?\Volume{9cad07de-88f4-48ca-8243-8838d2addae6}\
   Volume name: F: (\\?\Volume{9cad07de-88f4-48ca-8243-8838d2addae6}\)

Error-specific details:
   Error: Unexpected signature 0x00000000 (Expected 0x72686b43), MajorVersion 66, 0x8056531d, The data is invalid.
</Data><Data Name='DebugInfo'>Code: CSTUTILS.00002077; Call: CSTUTILS.00002024; CMD: C:\WINDOWS\SYSTEM32\FSDMHOST.EXE {589a3bcb-3866-4be6-bb43-fd2f9c61f74b} 2039969b-67b3-4c1a-9d46-9ba9ea440bbb 348eab9b-ec9e-43ea-a335-61d2e11faf71 OptimizationJob       ; User: Name: NT AUTHORITY\SYSTEM, SID:S-1-5-18 </Data></EventData></Event>


It is missing the one line i want thought to be honest.
oBdACommented:
Pity, then the XML won't work; I was hoping for better access to the elements of the events.
Then I need the (sanitized, but with any leading spaces/tabs left in place)) output of this, in [code] tags:
$filter = @{Id=4134; LogName='Microsoft-Windows-Deduplication/operational';}
$msg = Get-WinEvent -FilterHashtable $filter -MaxEvents 1) | Select-Object -ExpandProperty Message

Open in new window

Alex GreenProject Systems EngineerAuthor Commented:
That code doesnt' work, I can't figure out where you want the opening (

 -MaxEvents 1)
oBdACommented:
Remnant from .ToXml(); too much copy and paste, sorry.
Results will end up in the clipboard:
$filter = @{Id=4134; LogName='Microsoft-Windows-Deduplication/operational';}
Get-WinEvent -FilterHashtable $filter -MaxEvents 1 | Select-Object -ExpandProperty Message | clip.exe

Open in new window

Alex GreenProject Systems EngineerAuthor Commented:
The data is invalid.


Operation:
   Preparing a chunk store container for chunk insertion.
   Opening an existing chunk store container.
   Inserting a new chunk to a chunk store stream.
   Inserting a new chunk to a chunk store stream.
   Running the deduplication job.

Context:
   File offset: 0
   File name: \\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\System Volume Information\Dedup\ChunkStore\{07C770BC-E0D5-42E5-B1A9-25978E2ACDEF}.ddp\Data\000000d6.00040000.ccc
   Chunk store: \\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\System Volume Information\Dedup\ChunkStore\{07C770BC-E0D5-42E5-B1A9-25978E2ACDEF}.ddp\Data
   File path: K:\ADH\Profile\AppData\SoftGrid Client.older\OUTLOOK.CTX-412B43A7-F2BE-4E37\UsrVol_sftfs_v1.pkg
   Volume name: K: (\\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\)

Error-specific details:
   Error: ReadFile(\\?\Volume{dcf63328-d8ee-44e4-92f6-5552f365d729}\System Volume Information\Dedup\ChunkStore\{07C770BC-E0D5-42E5-B1A9-25978E2ACDEF}.ddp\Data\000000d6.00040000.ccc, Offset 0 (0x0), Data 000000A45035C400, DataSize 512 (0x200), ...), 0x80070026, Reached the end of the file.
Alex GreenProject Systems EngineerAuthor Commented:
Is the file path I want to section out
oBdACommented:
Try this:
$filter = @{Id=4134; LogName='Microsoft-Windows-Deduplication/operational';}
Get-WinEvent -FilterHashtable $filter |
	Select-Object -ExpandProperty Message |
	ForEach-Object {
		 $_ -split '(\r)?\n' |
			Where-Object {$_ -match '\A\s+File path:\s*(?<FilePath>.*?)\s*\Z'} |
			ForEach-Object {$Matches['FilePath']}
	}

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alex GreenProject Systems EngineerAuthor Commented:
Oh my.... Oh my.... GOOOOOODNEESSS!!!!!!!!!!!!!!!!!!!

Every single time you impress me, I bow before your awesomeness.

You really are "One for all"
Alex GreenProject Systems EngineerAuthor Commented:
Oh one last thing, any chance of getting time created in there to go with the file location?
oBdACommented:
Sure:
$filter = @{Id=4134; LogName='Microsoft-Windows-Deduplication/operational';}
Get-WinEvent -FilterHashtable $filter | Select-Object -Property `
	TimeCreated,
	@{n='FilePath'; e={
		$_.Message -split '(\r)?\n' |
			Where-Object {$_ -match '\A\s+File path:\s*(?<FilePath>.*?)\s*\Z'} |
			ForEach-Object {$Matches['FilePath']}
	}}

Open in new window

Alex GreenProject Systems EngineerAuthor Commented:
ohhhh I see you you did that, I wasn't far off

I did

Select-Object timecreated, message -expandproperty Message.

Thanks again :D
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.