Read and Filter Eventlog

PowerShell Help
1

by Andy at 2013-02-05 01:55:00

Hi,

I need some help to filter Eventlog Messages.

With the following command
Get-EventLog -LogName Application -Newest 10 | ?{$.eventid -eq "5082"} | select Timegenerated,Message
I got this output
TimeGenerated Message
------------- -------
05.02.2013 10:49:54 Executing search: 968: Execution Time: SELECT * FROM NW…
05.02.2013 10:49:54 Executing search: 510: Execution Time: SELECT * FROM NW…
05.02.2013 10:49:51 Executing search: 824: Execution Time: SELECT * FROM NW…
05.02.2013 10:49:47 Executing search: 443: Execution Time: SELECT * FROM NW…
05.02.2013 10:49:45 Executing search: 289: Execution Time: SELECT * FROM NW…
05.02.2013 10:49:42 Executing search: 997: Execution Time: SELECT * FROM NW…
05.02.2013 10:49:40 Executing search: 695: Execution Time: SELECT * FROM NW…
05.02.2013 10:49:39 Executing search: 440: Execution Time: SELECT * FROM NW…

What I need to filter is the numbers after "Executing search:" i.E. I need to know when the search exceeded 1000. Can anyone please give me a hint?

Andy
by DonJ at 2013-02-05 08:10:56
That’s a little tough because it’s just a string. Having to compare it as a number is going to be tricky. Hmm. We might be able to try a split.

($.Message.Split(‘] -gt 1000

Might work. It’s splitting on the colon, so the number should become the second element ([1]) in the array.
by ArtB0514 at 2013-02-05 09:39:46
That’s really close. The problem is that there might still be some space characters in the split which will block the numeric test. There are two ways to easily get rid of the spaces:

[list][int]($.Message.Split('] – will force the split value to be an integer
($.Message.Split(’].Trim() – will delete the spaces so PowerShell can do the appropriate type matching[/list]
by Andy at 2013-02-06 00:12:49
ok thank you, but how would the command or script look like?
I tried
Get-EventLog -LogName Application -Newest 10 | ?{$.eventid -eq "5082"} | where { ($.Message.Split('].Trim() } | select TimeGenerated,Message
by Klaas at 2013-02-06 00:30:22
If it’s OK to include 1000, isn’t a regex the simplest way?

Get-EventLog -LogName Application -Newest 10 | Where {$.eventid -eq "5082" -And $.message -Match "Executing search: \d{4}"}
by Andy at 2013-02-06 01:18:42
[quote="Klaas"]If it’s OK to include 1000, isn’t a regex the simplest way?

Get-EventLog -LogName Application -Newest 10 | Where {$.eventid -eq "5082" -And $.message -Match "Executing search: \d{4}"}[/quote]
Thank you that works. To make the output more comfortably, I do an export-csv and want to highlight the search time in excel. So the upper methods to convert the string into numbers would be better.