locked
Reading Event Data value that contains special character RRS feed

  • Question

  • I have a scheduled task that reads Event data. I am having troubles as the data that is being read has special character. For example the value is "I am the Event Data, but I contain ' Special $haracters'. Help read me". The scheduled task is triggered using a event and the action is Powershell.exe .\Script.ps1 '$(EventData)'

    Powershell script would look like this

    Param(

              $data

    )

    write-host $data

    Thanks so much. I am struggling immensely 

    Saturday, November 17, 2018 8:53 PM

Answers

  • Based on the ValueQueries approach, instead of passing the EventData directly try passing EventRecordID to the script and then for example

    param ($data)

    $event = Get-EventLog -LogName Application -Index $data

    write-host $event.message

    • Marked as answer by Blue Leaf Tech Tuesday, November 20, 2018 6:41 PM
    Sunday, November 18, 2018 7:24 AM

All replies

  • The PowerShell escape character is the backtick, "`", also called the back apostrophe. Any character can be escaped. You may need to use the -Replace function to escape expected characters.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Saturday, November 17, 2018 9:50 PM
  • "EventData" is not a single value.  It is a collection of elements and extracting it alone will give you things you may not expect.  YOu need to query for the elements of the EventData structure.

    This is what EventData can look like depending on the provider and the event ID.

      <EventData>
        <Data Name="ProcessId">0</Data>
        <Data Name="Application">-</Data>
        <Data Name="Direction">%%14592</Data>
        <Data Name="SourceAddress">151.101.210.110</Data>
        <Data Name="SourcePort">443</Data>
        <Data Name="DestAddress">10.0.0.248</Data>
        <Data Name="DestPort">52064</Data>
        <Data Name="Protocol">6</Data>
        <Data Name="FilterRTID">71101</Data>
        <Data Name="LayerName">%%14597</Data>
        <Data Name="LayerRTID">13</Data>
      </EventData>

    You need to make your XPath extract the elements you want separately.

    Event\System\EventData\Data[@Name="DestAddress"]

    Here is an example of a ValueQuery for data.

    <ValueQueries> 
    <Value name="AccountName">Event/EventData/Data[@Name='TargetUserName']</Value> 
    <Value name="eventChannel">Event/System/Channel</Value> 
    <Value name="eventRecordID">Event/System/EventRecordID</Value> 
    </ValueQueries>

    To discover the data look at the XML in the event viewer.

    For unnamed elements the event system will store them as "Param" with no identifier so you need to adjust the XPath.


    \_(ツ)_/


    • Edited by jrv Saturday, November 17, 2018 9:59 PM
    Saturday, November 17, 2018 9:58 PM
  • Its only one element, Data, which has the string that has the special characters that I read. I would like to pass that as a parameter to a powershell script so I could work with it. 
    Saturday, November 17, 2018 10:09 PM
  • That "special character" may a bit of Unicode, like a "LEFT-TO-RIGHT-MARK". Knowing what the character(s) is would be helpful. If you pipe "Data" to the "format-hex" cmdlet you should be able to identify what the character is, or at least what it's hex value is -- and that may be a multi-byte character.

    You say that you're have troubles passing the data, but you don't say what the value of the data might be, or the "trouble" you're encountering.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Saturday, November 17, 2018 10:46 PM
  • Sorry here is what the data looks like in Event Viewer. as you could see The string contains "$", " ' ". 

    <EventData>
        <Data> Failed to launch Resource 'Storename $P189' using Citrix XML Service at Address 'http://storefront'. The xml service has an error:'.</Data>
     </EventData>

    Saturday, November 17, 2018 10:52 PM
  • I see unbalanced single quote characters. Is that correct?

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Saturday, November 17, 2018 10:58 PM
  • That is correct. That is how the event data is written out by Citrix. 
    Saturday, November 17, 2018 11:15 PM
  • Sorry here is what the data looks like in Event Viewer. as you could see The string contains "$", " ' ". 

    <EventData>
        <Data> Failed to launch Resource 'Storename $P189' using Citrix XML Service at Address 'http://storefront'. The xml service has an error:'.</Data>
     </EventData>

    Do you get the regular text around the special characters correctly?

    Are the odd characters in the beginning of the text or spaced through it?


    \_(ツ)_/

    Saturday, November 17, 2018 11:24 PM
  • Once you've read the data, try a regex on it (assuming the data's in a variable named $x):

    $x = $x -replace "\$", "`$"

    I'm assuming that when you tried passing the original data the "$P189" was replaced by a null string. That "$P189" was interpreted as the name of a variable which, of course, doesn't exist. Powershell can check for undeclared variables in an assignment, but I don't know how to get it to check for some arbitrary string that looks like a variable.

    If that doesn't work, try this regex to double-up the single quotes in the string, and then pass the string by surrounding it with single quotes instead of double quotes.:

    $x = $x -replace "'","''"


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Sunday, November 18, 2018 3:27 AM
  • Based on the ValueQueries approach, instead of passing the EventData directly try passing EventRecordID to the script and then for example

    param ($data)

    $event = Get-EventLog -LogName Application -Index $data

    write-host $event.message

    • Marked as answer by Blue Leaf Tech Tuesday, November 20, 2018 6:41 PM
    Sunday, November 18, 2018 7:24 AM
  • You still haven't posted what your "ValueQuery" looks like. It should look like this.

          <ValueQueries>
            <Value name="eventData">Event/EventData/Data[@Name="SomeName"]</Value>
          </ValueQueries>
    

    The PowerShell arguments should look like this:

    -File .\Script.ps1 $(eventData)

    All elements are case sensitive.

    There is no way to return unnamed elements.  Microsoft query language is a subset of XPath and does not support all XML structures.

    Tell Citrix to upgrade their code to supply named properties using the newer API for the Event Log.


    \_(ツ)_/

    Sunday, November 18, 2018 8:45 AM
  • Thanks I used this method to get around the bad format that citrix is using when writing their event data. Thanks so much for all suggestions. 
    Tuesday, November 20, 2018 6:42 PM