Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
GetEventLog - how to have 'Message' property expanded in one line

Answered GetEventLog - how to have 'Message' property expanded in one line

  • Friday, January 18, 2013 2:25 PM
     
      Has Code
    Sign In to Vote
    0

    In PowerShell v2 i'm using this cmdlet Get-EventLog Security | Export-csv C:\file.txt and get the following result.

    I need to get all information in one line. In my sample the 'Message' property is multiline.

    "538","MYPC","System.Byte[]","28330","Accesso/fine sess.","2","SuccessAudit","Fine sessione dell'utente:

    Nome utente:    myusername

    Dominio:        MYPC

    ID di accesso:  (0x0,0x58C702F)

    Tipo di accesso:    3
","Security","System.String[]","538","18/01/2013 10:35:54","18/01/2013 10:35:54","MYPC\myusername",,

    I also tried with Format-Table but it truncate the Message field.

     

All Replies

  • Friday, January 18, 2013 2:50 PM
     
     
    Sign In to Vote
    1

    You will have to manually convert the message field.  It can be a big problem because the text can have characters that can break a CV fil.

    @{Name=Message;Expression={$_.Message|out-string}}

    The message field has line feeds. It will not work when all on one line.

    You need to spend some time learning how the eventlog is used.

    To save a copy of the event log use backup.  It will save the log in the correct format.

    ¯\_(ツ)_/¯


     
  • Friday, January 18, 2013 3:00 PM
     
     
    Sign In to Vote
    0

    Hi

    thanks for the answer JRV.

    Today is the first time i'm using powershell. I will use a powershell script to get the event log from many hosts and save the data in my Database (trough a small application which i had written in C#).

    No matter if the file is a csv txt. I need to have every single event entry in one line.

    • Edited by d.chamba Friday, January 18, 2013 3:00 PM
    •  
     
  • Friday, January 18, 2013 3:21 PM
     
     
    Sign In to Vote
    1

    It does not have to be in one line to put it in a database.

    To load eventlog extractions to a database we normally use LogParser 2.2 which can write directly to a database and it knows how to parse the fields for loading.

    http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx

    ¯\_(ツ)_/¯

     
  • Tuesday, January 22, 2013 5:11 PM
     
     Answered Has Code
    Sign In to Vote
    0

    This was my solution :

    select the fields you want to export and replace the Message field with a mangled version of itself:

    Get-EventLog Security `
  | select EventId, ..., @{n='Message';e={$_.Message -replace '\s+', " "}} `
  | Export-Csv "C:\file.txt"
    • Marked As Answer by d.chamba Tuesday, January 22, 2013 5:11 PM
    •  
     
  • Tuesday, January 22, 2013 8:00 PM
     
     
    Sign In to Vote
    0

    This would be better as it can be retruned back to the origianl.

    @{n='Message';e={$_.Message -replace '\n', "|"}}

    This places pipes wher the line breask were and does not mangle everthing.

    Nornmally we do not save the message templates but only save teh ReplacementStrings.  This is an array of strings that are stuffed into the template when we view the message.

    You are free to do it your way but it saves a huge amount of redundant text.

    ¯\_(ツ)_/¯