This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

PS: get-eventlog message export in csv only with file-path

Question
0

Sign in to vote
Hi there

We had some HDD issue and want to output all the lost data.
So with this command I get the messages I wanted but also with unnecessary information. What I'm looking for is an csv-output with just the path for a better overview.

Here is the command that is working successfully:

Get-EventLog -LogName System -EntryType Warning -Source NTFS -Message *File* | export-csv c:\temp\ntfscorrupt_all.csv

We have these log entries:

{Delayed Write Failed} Windows was unable to save all the data for the file \work\example\test.docx The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

So what option do I have to use, to get only the paths in the csv file like: \work\example\test.docx, \work\example\number2.docx....
- Edited by donduc_jr Tuesday, October 15, 2019 7:59 AM
Tuesday, October 15, 2019 7:55 AM

Answers

0

Sign in to vote
Get-WinEvent is the replacement for Get-Eventlog and has been since Vista. Search for articles that show how to use this.

Get-WinEvent -FilterHashtable @{LogName = 'System'; ProviderName='NTFS';Level=3;Data='2C-D0-5A-E9-E9-C4'}

You can use the XML part to extract specific items from the message.

help Get-WinEvent -online

\_(ツ)_/
- Proposed as answer by LeeSeenLiMicrosoft contingent staff Wednesday, October 16, 2019 6:47 AM
- Marked as answer by donduc_jr Thursday, October 24, 2019 2:55 PM
Tuesday, October 15, 2019 12:25 PM

All replies

0

Sign in to vote
Hi,

you can combine Search-String with RegEx expression to match the specific pattern.

Please check "Example 3: Find a pattern match" here:

Select-String

Regards,

(Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov
- Edited by Stoyan ChalakovMVP Tuesday, October 15, 2019 8:26 AM
Tuesday, October 15, 2019 8:25 AM

Sign in to vote

Sign in to vote

I still get the whole message with this command:

Get-EventLog -LogName System -EntryType Warning -Source NTFS -Message *File* -Newest 5 | Select-String -InputObject {$_.message} -Pattern 'File'

What is missing?

Tuesday, October 15, 2019 9:05 AM

0

Sign in to vote
Get-WinEvent is the replacement for Get-Eventlog and has been since Vista. Search for articles that show how to use this.

Get-WinEvent -FilterHashtable @{LogName = 'System'; ProviderName='NTFS';Level=3;Data='2C-D0-5A-E9-E9-C4'}

You can use the XML part to extract specific items from the message.

help Get-WinEvent -online

\_(ツ)_/
- Proposed as answer by LeeSeenLiMicrosoft contingent staff Wednesday, October 16, 2019 6:47 AM
- Marked as answer by donduc_jr Thursday, October 24, 2019 2:55 PM
Tuesday, October 15, 2019 12:25 PM