I am missing something obvious here I think? If I use $events.message I get the content of the message field for each event, if I try and use use it in the pipeline below I get no content from the message field when outputting to FT? Is this pipeline behaviour?
$events=Get-WinEvent -LogName ‘Symantec Endpoint Protection Client’
$events | Where-Object {$.id -eq 51} | ft @{n=‘datetime’; e={$.timecreated}}, @{n=‘machinename’; e={$.machinename}}, @{n=‘Eventid’; e={$.id}},@{n=‘Level’;e={$_.leveldisplayname}},message
datetime machinename Eventid Level Message
20/07/2016 7:32:02 AM IT1234 51 Error …
TypeName: System.Diagnostics.Eventing.Reader.EventLogRecord
Message NoteProperty string Message= …
Your code works fine when I ran it against the Windows PowerShell log. Could be something weird with the Symantec log. re you running this as admin?
It’s because the Message has a couple of blank lines at the top and you are not using Wrap in your table.
Try this
$events=Get-WinEvent -LogName 'Symantec Endpoint Protection Client'
$events | Where-Object {$_.id -eq 51} | ft @{n='datetime'; e={$_.timecreated}}, @{n='machinename'; e={$_.machinename}}, @{n='Eventid'; e={$_.id}}, @{n='Level';e={$_.leveldisplayname}}, message -wrap:$true
or if you would like to get rid of the white space
With wrap
$events=Get-WinEvent -LogName 'Symantec Endpoint Protection Client'
$events | Where-Object {$_.id -eq 51} | FT @{n='datetime'; e={$_.timecreated}}, @{n='machinename'; e={$_.machinename}}, @{n='Eventid'; e={$_.id}},@{n='Level';e={$_.leveldisplayname}}, @{n='message'; e={$_.message.trim()}} -wrap:$true
or without wrap
$events=Get-WinEvent -LogName 'Symantec Endpoint Protection Client'
$events | Where-Object {$_.id -eq 51} | FT @{n='datetime'; e={$_.timecreated}}, @{n='machinename'; e={$_.machinename}}, @{n='Eventid'; e={$_.id}},@{n='Level';e={$_.leveldisplayname}}, @{n='message'; e={$_.message.trim()}}
Thanks Curtis - all good, just tested both your changes - excellent