Learn about Windows PowerShell
Summary: Learn how to use Event Viewer custom views in Windows PowerShell to parse event logs quickly.
Hey, Scripting Guy! I love Windows 7. It absolutely rocks! One of the things I love about Windows 7, in addition to Windows PowerShell, is the new Event Viewer. I have created a custom view in my Event Viewer. I exported that custom view, and when I try to use it in the Get-WinEvent cmdlet, it fails. Can you help me? I would love to be able to use Windows PowerShell to parse my custom view of the event logs. I know you can do this because you are the greatest!
Microsoft Scripting Guy Ed Wilson here. I agree with you, at least on two counts. I also love Windows PowerShell 7 and the new Event Viewer. The Windows PowerShell Get-WinEvent cmdlet is also very powerful, and provides lots of opportunities for experimentation. I have written many articles about using the Get-WinEvent cmdlet on the Hey, Scripting Guy! Blog.
So, let’s see what exactly you are talking about when it comes to exporting a custom view from the Event Viewer application. As shown in the following figure, when I open the Event Viewer, the top portion in the upper left section of the screen contains Custom Views.
To create a custom view, I select Create Custom View from the Action pane and the Create Custom View interface is displayed. This dialog box is shown in the following figure.
After I save the custom view, I can export it to XML by selecting the custom view, and clicking Export Custom View in the Action menu. This technique works great for exporting custom event log views either for backup purposes, or to use on other computers via the Event Viewer application. Unfortunately, it does not work when I attempt to import it via the Get-WinEvent cmdlet:
Get-WinEvent -FilterXml ([xml](Get-Content C:\fso\exportedCustomView.xml))
The command and associated error are shown in the following figure.
The reason the error is generated is because Export Custom View includes additional information required by the Event Viewer to create and host the custom event view. What the Get-WinEvent cmdlet requires is the <QueryList> information.
To find the <QueryList> information, I click Filter Current Custom View in the Action menu. When the Filter Current Custom View dialog box appears, I click the XML tab. This displays the <QueryList> information, as shown in the following figure.
There is no copy button, even if you select the Edit query manually check box. But I can easily highlight everything with my mouse, and press Ctrl+C to copy the selection to the Clipboard. After I have copied the information to the Clipboard, I create a new text file, paste the contents, and save it with a .xml file extension. The following figure shows the contents of the custom event log view.
After I have only the <QueryList> information in a text file, I can now use the exact same command I used previously, but this time it works. The command I use is shown here:
Get-WinEvent -FilterXml ([xml](Get-Content C:\fso\Past24CustomView.xml))
The command and associated output are shown in the following figure.
Here are the steps I use:
That is it. It seems like a lot of steps, but they are pretty logical. In addition, this provides an excellent way to process data quickly from multiple event logs.
LD, that is all there is to using a custom view from Event Viewer in a Windows PowerShell cmdlet. Join me tomorrow for more exciting Windows PowerShell tricks.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
<p>this is good ... but you can do even better without the copy & paste approach :-)</p>
<p>You are right: The export to Xml does us no favour in encapsuling the XML element "QueryList" in some bigger Xml context. In fact it is just a node in the following hierarchy</p>
<p>We can address it directly by</p>
<p>Get-WinEvent -FilterXML ([xml](Get-Content C:\fso\exportedCustomView.xml)).ViewerConfig.QueryConfig.QueryNode.QueryList.OuterXml</p>
<p>or by </p>
<p>Get-WinEvent -FilterXml ([xml](Get-Content C:\fso\exportedCustomView.xml)).SelectSingleNode("//QueryList").OuterXml</p>
<p>I'd prefer the latter but if you know the structure, the former is a bit more efficient!</p>
<p>It's not too difficult to use a little bit of XML functionality, but I know that it is a big hurdle!</p>
<p>@Klaus Schulte this is great! Thank you for sharing ... I did not think about doing this directly. Cool stuff.</p>
<p>I accidently made a custom view and now my memory fills with unnecessary log information and makes everything very slow :(</p>
<p>I just want to delete the custom view. BUT it doesn't work, there is no option to delete a view once created?! This can't be true or a joke.</p>
<p>Am I totally blind or can someone help me please?</p>
<p>Can you create the custom view using powershell? perhaps create it with powershell using the XML to import.</p>
<p>@Derek - Yes</p>
<p>See: <a rel="nofollow" target="_new" href="http://blogs.msdn.com/b/powershell/archive/2011/04/14/using-get-winevent-filterxml-to-process-windows-events.aspx">blogs.msdn.com/.../using-get-winevent-filterxml-to-process-windows-events.aspx</a></p>
<p>Post here: <a rel="nofollow" target="_new" href="http://social.technet.microsoft.com/Forums/en-US/ITCG/threads">social.technet.microsoft.com/.../threads</a></p>