How to show event logs containing specific text from powershell

Here's what I ended up doing. It searches the value of several event properties for the text and shows them on the console:

$search = "hyper"
Get-EventLog -LogName system -after (Get-Date).AddDays(-1) | Where-Object { $_.Category.ToLower().Contains($search.ToLower()) -or $_.Message.ToLower().Contains($search.ToLower()) -or $_.Source.ToLower().Contains($search.ToLower())} | Format-Table -AutoSize -Wrap

Example Output:

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    4751 Aug 10 09:13  Information Microsoft-Windows...           23 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is now operational.
    4750 Aug 10 09:13  Information Microsoft-Windows...           11 The description for Event ID '11' in Source 'Microsoft-Windows-Hyper-V-Netvsc' cannot be found.  The local computer may not have the necessary registr...
    4749 Aug 10 09:13  Information Microsoft-Windows...           24 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is no longer operational.

I'm new to powershell so it might not be the best way but it works. I hope it will save someone else some time.

Glad you got this working for you.

Point of note. You could have taken this approach as well, to simplify it a bit...

This approach will search all properties passed in for the string value and return the matches, without having to deal with case or specifying the search string per property, individually.

$Search = 'hyper'
(Get-EventLog -LogName system -after (Get-Date).AddDays(-1) | 
Select-Object -Property Category,Index,TimeGenerated,
EntryType,Source,InstanceID,Message) -match $Search | Format-Table -AutoSize

Category Index TimeGenerated        EntryType Source                             InstanceId Message
-------- ----- -------------        --------- ------                             ---------- -------
(0)      19637 10-Aug-18 17:06:16 Information Microsoft-Windows-Hyper-V-VmSwitch        233 The operation '8' ...
(0)      19636 10-Aug-18 17:06:16 Information Microsoft-Windows-Hyper-V-VmSwitch        234 NIC D6727298-4E...
(0)      19635 10-Aug-18 17:05:39 Information Microsoft-Windows-Hyper-V-VmSwitch        233 The operation ...
(0)      19634 10-Aug-18 17:05:39 Information Microsoft-Windows-Hyper-V-VmSwitch        234 NIC 75A04E6E-1...
(1019)   19621 10-Aug-18 12:33:17 Information Microsoft-Windows-Hyper-V-VmSwitch

This would search all logs for a certain string in a certain time period. It can't be done in event viewer. Some logs require admin access.

Get-WinEvent -ListLog * | 
  foreach { get-winevent @{logname=$_.logname; starttime='2:45 pm' } -ea 0 } |
  where message -match 'whatever'

You can't pipe every logname directly to get-winevent. There's is a 256 logname limit in the windows api. This probably explains the limitation in the Event Viewer for creating a view with every log as well.

get-winevent -ListLog * | get-winevent  # powershell 7

Get-WinEvent: Log count (445) is exceeded Windows Event Log API limit (256). Adjust filter to return less log names.

Search all logs in parallel for a string in powershell 7 in a matter of seconds:

get-winevent -listlog * | 
% -parallel { get-winevent @{ logname = $_.logname } -ea 0 } | ? message -match cpu

How to show event logs containing specific text from powershell

Related

Recent Posts