Parsing event log message data

PowerShell Help
1

After running the code below:

$xml = [xml](Get-Content Y:\SCOMLast24Hrs.xml)

$eventXML = [xml](Get-WinEvent -FilterXml $xml -ComputerName servername -MaxEvents 1).ToXML()

$eventXML.Event.EventData.Data[0]

I get the needed data:

p_StateChangeEventProcess – (BaseManagedEntityId=f2e7c97e-0f85-bf5e-e2c7-ec1aae440a8f), (EventOriginId=75a0ca4e-b722-453c-b6a0-e19899bfb1d3), (Monitor
Id=f1baeb56-8cce-f8c7-79ae-d69796c9d926), (NewHealthState=3), (OldHealthState=1), (TimeGenerated=8/26/2015 5:50:17 PM), (Context=), (RETURN_VALUE=0)

However, I would like to further parse the returned data. I would like to pull out the name=value pairs from with each set of parentheses separated by a comma, but haven’t quite gotten what I want.

Regex? ConvertFrom-String? Something else?

I will the convert the GUID in human readable strings using the SCOM shell commands.

Thanks,
Marty

2

Well this is a partial because I’m not really sure what you want for an output. So in the sample code I separate the field name from the data with a couple of dots. There are all sorts of things you could do here (like creating objects) depending on the downstream consumer. And yes, this is based on a RegEx pattern match.

$rawData = "p_StateChangeEventProcess — (BaseManagedEntityId=f2e7c97e-0f85-bf5e-e2c7-ec1aae440a8f), (EventOriginId=75a0ca4e-b722-453c-b6a0-e19899bfb1d3), (MonitorId=f1baeb56-8cce-f8c7-79ae-d69796c9d926), (NewHealthState=3), (OldHealthState=1), (TimeGenerated=8/26/2015 5:50:17 PM), (Context=), (RETURN_VALUE=0)"
$data = $rawData -split ", "
$pattern =[regex]"\((.+?)=(.*?)\)"
foreach ($item in $data)
{
    if ($item -match $pattern)
    {
        "$($Matches[1]) .. $($Matches[2])"
    }
}
3

Series tied at 3 games apiece. Down by three. Bottom of the 9th. Bases loaded. Two outs. Full count. … Walk off grand slam. The fans go wild. You da’ man.

Exactly what I needed. I wanted to use the data on the left hand side of the equal sign as the property name and on the right hand side of the equal sign as the property value.

And translate the GUIDs to something readable by humans. I got that part. I can use the SCOM PowerShell commands to translate.

Thanks,
Marty

4

Thanks. Glad that worked for you. You could still do all sort of things with it according to your needs For instance to create a hash table …

$event = @{}
foreach ($item in $data)
{
    if ($item -match $pattern)
    {
        $event.Add($($Matches[1]),$($Matches[2]))
    }
}

PowerShell is the coolest. PowerShell plus RegEx is unbeatable when it comes to text manipulation. Enjoy!