Utilize Custom Views from Windows Upshot Viewer in PowerShell

Dr Scripto

November 14th, 2011

Summary: Learn how to use Outcome Viewer custom views in Windows PowerShell to parse outcome logs quickly.

Hey, Scripting Guy! Question Hey, Scripting Guy! I love Windows vii. It absolutely rocks! One of the things I love nearly Windows vii, in improver to Windows PowerShell, is the new Upshot Viewer. I have created a custom view in my Event Viewer. I exported that custom view, and when I try to use it in the Get-WinEvent cmdlet, it fails. Can you assist me? I would beloved to be able to use Windows PowerShell to parse my custom view of the event logs. I know you tin can practise this considering you lot are the greatest!

—LD

Hey, Scripting Guy! Answer Hello LD,

Microsoft Scripting Guy Ed Wilson here. I agree with you lot, at least on two counts. I also love Windows PowerShell vii and the new Event Viewer. The Windows PowerShell Go-WinEvent cmdlet is also very powerful, and provides lots of opportunities for experimentation. I accept written many manufactures about using the Get-WinEvent cmdlet on the Hey, Scripting Guy! Blog.

So, let'due south come across what exactly you are talking about when it comes to exporting a custom view from the Event Viewer application. As shown in the post-obit figure, when I open the Event Viewer, the top portion in the upper left department of the screen contains Custom Views.

Image of Custom Views in Event Viewer

To create a custom view, I select Create Custom View from the Action pane and the Create Custom View interface is displayed. This dialog box is shown in the post-obit effigy.

Image of Create Custom View dialog box

After I relieve the custom view, I can consign it to XML by selecting the custom view, and clicking Export Custom View in the Action menu. This technique works dandy for exporting custom event log views either for backup purposes, or to use on other computers via the Result Viewer application. Unfortunately, it does not work when I attempt to import it via the Get-WinEvent cmdlet:

Go-WinEvent -FilterXml ([xml](Go-Content C:\fso\exportedCustomView.xml))

The command and associated fault are shown in the post-obit figure.

Image of command and associated error

The reason the fault is generated is because Consign Custom View includes additional information required by the Event Viewer to create and host the custom event view. What the Get-WinEvent cmdlet requires is the <QueryList> information.

To detect the <QueryList> information, I click Filter Current Custom View in the Activeness menu. When the Filter Current Custom View dialog box appears, I click the XML tab. This displays the <QueryList> data, equally shown in the following figure.

<img style="border: 0px;" title="Image of information" alt="Image of data" src="https://devblogs.microsoft.com/wp-content/uploads/sites/29/2019/02/6320.hsg-11-14-11-iv.png" original-url="http://blogs.technet.com/resized-epitome.ashx/__size/550×0/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/6320.hsg_2D00_11_2D00_14_2D00_11_2D00_4.png" />

In that location is no copy button, fifty-fifty if you select the Edit query manually check box. But I can easily highlight everything with my mouse, and press Ctrl+C to copy the pick to the Clipboard. After I accept copied the information to the Clipboard, I create a new text file, paste the contents, and save it with a .xml file extension. The following figure shows the contents of the custom event log view.

Image of contents of custom event log view

After I have just the <QueryList> information in a text file, I can now use the exact same command I used previously, only this time information technology works. The command I employ is shown hither:

Go-WinEvent -FilterXml ([xml](Go-Content C:\fso\Past24CustomView.xml))

The control and associated output are shown in the following figure.

Image of command and associated output

Hither are the steps I use:

  1. Create a custom view in the Event Viewer utility.
  2. Display the <QueryList> information from the custom view by clicking Filter Custom View from in the Action menu.
  3. Click the XML tab.
  4. Highlight the <QueryList> information with your mouse, and press Ctrl+C to re-create the <QueryList> data to the Clipboard.
  5. Open Notepad and paste the information from the Clipboard into the new text file.
  6. Salvage the file with a .xml file extension.
  7. Use the Get-Content cmdlet to read the contents of the XML file.
  8. Cast the returned data to {XML] type and pass it to the FilterXML parameter of the Get-WinEvent cmdlet.

That is it. It seems like a lot of steps, merely they are pretty logical. In improver, this provides an splendid mode to process data apace from multiple event logs.

LD, that is all there is to using a custom view from Event Viewer in a Windows PowerShell cmdlet. Bring together me tomorrow for more than exciting Windows PowerShell tricks.

I invite you to follow me on Twitter and Facebook. If you accept any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy