none
select-string pipeline behaviour RRS feed

  • Question

  • Hello, i ran next command:

    $idx  = Get-WinEvent -LogName Security -max 1

    $idx.message | select-string -pattern "Account Name"

    but this give me all message text, ie not only needed string.

    but if i doing $idx.message | out-file message.txt and select-string -path message.txt -pattern "Account Name", this works!



    Wednesday, October 15, 2014 9:43 AM

Answers

  • $id.message is a multiline string. When You select-string from one string You get the same string.

    When You output multiline string to file and import it back, it is treated like an array of strings.

    and select-string from array of strings shows only one, matching string

    EDIT: This is a possible solution to Your problem

    $idx.message -split "`n" | select-string -pattern "Account Name"

    • Edited by Blindrood Wednesday, October 15, 2014 10:43 AM
    • Marked as answer by Sergey Aslanov Wednesday, October 22, 2014 6:01 AM
    Wednesday, October 15, 2014 9:58 AM
  • If you want String object to be returned, this is another way to loop.

    $idx.message.Split("`n")|%{if($_.Contains('Account Name')){$_}}

    • Marked as answer by Sergey Aslanov Wednesday, October 22, 2014 6:03 AM
    Wednesday, October 15, 2014 10:55 AM
  • This is more direct since the "account" property does not exist on most records.

    $txt=Get-WinEvent -FilterHashtable @{Logname='Security';ID=4658} -max 2| %{$_.toXml()}
    [xml]$events="<events>$txt</events>"
    $events.events.event.eventdata.Data|select name,'#text'

    We can also devise Xpath and other queries that can extract exacting information.


    ¯\_(ツ)_/¯

    • Marked as answer by Sergey Aslanov Wednesday, October 22, 2014 6:02 AM
    Wednesday, October 15, 2014 11:06 AM

All replies

  • $id.message is a multiline string. When You select-string from one string You get the same string.

    When You output multiline string to file and import it back, it is treated like an array of strings.

    and select-string from array of strings shows only one, matching string

    EDIT: This is a possible solution to Your problem

    $idx.message -split "`n" | select-string -pattern "Account Name"

    • Edited by Blindrood Wednesday, October 15, 2014 10:43 AM
    • Marked as answer by Sergey Aslanov Wednesday, October 22, 2014 6:01 AM
    Wednesday, October 15, 2014 9:58 AM
  • If you want String object to be returned, this is another way to loop.

    $idx.message.Split("`n")|%{if($_.Contains('Account Name')){$_}}

    • Marked as answer by Sergey Aslanov Wednesday, October 22, 2014 6:03 AM
    Wednesday, October 15, 2014 10:55 AM
  • This does all needed to find records and trap string. 

    Get-WinEvent -LogName Security  | ?{$_.Message -match 'Account Name:(.*)'}|%{$matches[1]}


    ¯\_(ツ)_/¯

    Wednesday, October 15, 2014 10:57 AM
  • This is more direct since the "account" property does not exist on most records.

    $txt=Get-WinEvent -FilterHashtable @{Logname='Security';ID=4658} -max 2| %{$_.toXml()}
    [xml]$events="<events>$txt</events>"
    $events.events.event.eventdata.Data|select name,'#text'

    We can also devise Xpath and other queries that can extract exacting information.


    ¯\_(ツ)_/¯

    • Marked as answer by Sergey Aslanov Wednesday, October 22, 2014 6:02 AM
    Wednesday, October 15, 2014 11:06 AM
  • Using the older CmdLet we can extract the strings very easily.

    Get-EventLog security -Newest  10 -InstanceId 4658|%{$_.ReplacementStrings[1]}

    The "InstanceID" can take a list of event IDs.

    Get-EventLog security -Newest  40 -InstanceId 4656,4663,4658|
         %{'ID:{1} - Account:{0}' -f $_.ReplacementStrings[1],$_.InstanceID}


    ¯\_(ツ)_/¯

    Wednesday, October 15, 2014 11:15 AM