Windows – How to search string in Event Viewer XML Query

event-logevent-viewerwindows

Hello, in this section i want to know how to filter an event which contain Data with some words, for example:

Right Syntax:

*[EventData[Data[@Name='SourceAddress'] ='192.168.1.2']]

result: search all Events which Source Address = 192.168.1.2.

but i want to search all Events which contain LIKE 192.168.

Wrong Syntax:

*[EventData[Data[@Name='SourceAddress'] Like '192.168.']]

Best Answer

I want to search all Events which contain LIKE 192.168.

Unfortunately I don't think that is directly possible, because:

Windows Event Log supports a subset of XPath 1.0. There are limitations to what functions work in the query. For instance, you can use the "position", "Band", and "timediff" functions within the query but other functions like "starts-with" and "contains" are not currently supported.

Source Advanced XML filtering in the Windows Event Viewer

However, as w32sh pointed out in a comment, it is possible with PowerShell. See this Stack Overflow question: Using XPath starts-with or contains functions to search Windows event logs

Related Solutions

Windows – Show really all events from the Windows event log

Nirsoft's MyEventViewer is an alternative to the MS Event Viewer. It takes some time to open and sort all events (~80 seconds to load 100,000 events on my PC), it eventually displays them all. It has sort and find capabilities, so it should save you from carpal tunnel issues.

Edit: developer's recommended tool is now FullEventLogView. From the website:

FullEventLogView vs MyEventViewer

MyEventViewer is a very old tool originally developed for Windows XP/2000/2003. Starting from Windows Vista, Microsoft created a new event log system with completely new programming interfaces. The old programming interface still works even on Windows 10, but it cannot access the new event logs added on Windows Vista and newer systems. MyEventViewer uses the old programming interface, so it cannot display many event logs added on Windows 10/8/7/Vista. FullEventLogView uses the new programming interface, so it displays all events.

Windows – How to show event logs containing specific text from powershell

Here's what I ended up doing. It searches the value of several event properties for the text and shows them on the console:

$search = "hyper"
Get-EventLog -LogName system -after (Get-Date).AddDays(-1) | Where-Object { $_.Category.ToLower().Contains($search.ToLower()) -or $_.Message.ToLower().Contains($search.ToLower()) -or $_.Source.ToLower().Contains($search.ToLower())} | Format-Table -AutoSize -Wrap

Example Output:

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    4751 Aug 10 09:13  Information Microsoft-Windows...           23 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is now operational.
    4750 Aug 10 09:13  Information Microsoft-Windows...           11 The description for Event ID '11' in Source 'Microsoft-Windows-Hyper-V-Netvsc' cannot be found.  The local computer may not have the necessary registr...
    4749 Aug 10 09:13  Information Microsoft-Windows...           24 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is no longer operational.

I'm new to powershell so it might not be the best way but it works. I hope it will save someone else some time.

Best Answer

I want to search all Events which contain LIKE 192.168.

Related Solutions

Windows – Show really all events from the Windows event log

FullEventLogView vs MyEventViewer

Windows – How to show event logs containing specific text from powershell

Related Question