none
convert an event object (XML format) to text - Powershell RRS feed

  • Question

  • Hello

    Look at this powershell piece of code:

    $a = wevtutil qe System /q:"*[System/EventID=XXX]" /rd:true /c:1
    
    do something 
    
    echo $a > C:\Script\event.txt

    The output is not so user friendly.

    Nothing like the output of the following command:

    wevtutil qe System /q:"*[System/EventID=XXX]" /rd:true /c:1 /f:text > C:\Script\event.txt
    How can I "print" $a in this user friendly way?

    Thank you and sorry for this silly question: I' new to powershell programming.

    Wednesday, December 19, 2018 5:32 AM

Answers

  • function Format-XML ($xml, $indent = 2) {
        $StringWriter = New-Object System.IO.StringWriter
        $XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter
        $xmlWriter.Formatting = "indented"
        $xmlWriter.Indentation = $Indent
        $xml.WriteContentTo($XmlWriter)
        $XmlWriter.Flush()
        $StringWriter.Flush()
        $StringWriter.ToString()
    }
    
    [xml]$xml = wevtutil qe System /q:"*[System/EventID=7036] and *[EventData/Data[@Name='param1']='Spooler di stampa']" /rd:true /c:1
    Format-Xml $xml

    See: https://blogs.msdn.microsoft.com/powershell/2008/01/18/format-xml/



    \_(ツ)_/


    • Edited by jrv Wednesday, December 19, 2018 2:08 PM
    • Marked as answer by Bill_StewartModerator Wednesday, September 4, 2019 3:23 PM
    Wednesday, December 19, 2018 2:08 PM

All replies

  • The output is not so user friendly.

    What does that mean? Did you take a look at the help? "wevtutil /?"  ... or you could have searched for it ... wevtutil.

    The standard output is text unless you specify XML.


    Live long and prosper!

    (79,108,97,102|%{[char]$_})-join''

    Wednesday, December 19, 2018 7:35 AM
  • WEVUTIL can only return text as plain text or as XML text.  It cannot create objects.

    Powerhell can get objcts that can be user friendly.

    Get-WinEvent  @{Logname='System';ID=1234,6789,1,10}


    \_(ツ)_/

    Wednesday, December 19, 2018 10:47 AM
  • wevtutil qe System /q:"*[System/EventID=7036] and *[EventData/Data[@Name='param1']='Spooler di stampa']" /rd:true /c:1 /f:text

    give you an output like this

    Event[0]:
      Log Name: System
      Source: Service Control Manager
      Date: 2018-12-19T13:00:03.324
      Event ID: 7036
      Task: N/A
      Level: Informazioni
      Opcode: N/A
      Keyword: Classico
      User: N/A
      User Name: N/A
      Computer: XXX.YYYY.LOCAL
      Description: 
    Il servizio Spooler di stampa Þ ora in modalitÓ esecuzione.

    but:

    $a = wevtutil qe System /q:"*[System/EventID=7036] and *[EventData/Data[@Name='param1']='Spooler di stampa']" /rd:true /c:1
    $a

    give an output like this:

    <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-
    a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version
    ><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2018-12-19T12:00:03.3
    24918500Z'/><EventRecordID>123995</EventRecordID><Correlation/><Execution ProcessID='996' ThreadID='14100'/><Channel>System</Channel><
    Computer>XXX.YYYY.LOCAL</Computer><Security/></System><EventData><Data Name='param1'>Spooler di stampa</Data><Data Name='param2'
    >esecuzione</Data><Binary>530070006F006F006C00650072002F0034000000</Binary></EventData></Event>

    Yes, it's text... but I like more the first output.

    Wednesday, December 19, 2018 1:02 PM
  • Then use the first output.  You do not have to use XML.

    You issue has nothing to do with scripting.  You need to post in a forum for the OS you are working with.


    \_(ツ)_/

    Wednesday, December 19, 2018 1:53 PM
  • If you are trying to ask how to "pretty print" XML then here is a free tool:

    https://www.freeformatter.com/xml-formatter.html


    \_(ツ)_/

    Wednesday, December 19, 2018 1:59 PM
  • function Format-XML ($xml, $indent = 2) {
        $StringWriter = New-Object System.IO.StringWriter
        $XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter
        $xmlWriter.Formatting = "indented"
        $xmlWriter.Indentation = $Indent
        $xml.WriteContentTo($XmlWriter)
        $XmlWriter.Flush()
        $StringWriter.Flush()
        $StringWriter.ToString()
    }
    
    [xml]$xml = wevtutil qe System /q:"*[System/EventID=7036] and *[EventData/Data[@Name='param1']='Spooler di stampa']" /rd:true /c:1
    Format-Xml $xml

    See: https://blogs.msdn.microsoft.com/powershell/2008/01/18/format-xml/



    \_(ツ)_/


    • Edited by jrv Wednesday, December 19, 2018 2:08 PM
    • Marked as answer by Bill_StewartModerator Wednesday, September 4, 2019 3:23 PM
    Wednesday, December 19, 2018 2:08 PM