Author Posts

August 4, 2016 at 12:39 pm

Hi,
I have built a script that is triggered automatically whenever an event ID is registered in 'application' log.
I used to parse (using split) information from the event message to do staff with that. Now I have a newer version of the application that is writing to the event log and more info is in the message and thus the parsing breaks.
I am looking to find a better way to parse out the info that won't break anymore.
For instance:
I am looking to pull a number after the bellow specific sentence.
Lets say:
$Data = $Event[0].Message # is the message data of the first appearance

I need to find the number inside this sentence that will always appear (just the number changes) but I don't want to use split for spaces and choose the [6] as this changes.
Note: there are more numbers in $data I just need the one inside this sentence.
"A message with sequence number 17 has been sent"

Any ideas?

August 4, 2016 at 12:51 pm

I think using a regular expression with a named capture group could help here.

if ($Event[0].Message -match 'sequence number (?\d+)')
{
    'Sequence number found: {0}' -f $Matches.SequenceNumber
}

I hope that helps.

Best,
Daniel Krebs

August 4, 2016 at 1:45 pm

Void is used to omit the Boolean output.

[void]($Event[0].Message -match "number (?'num'\d+)") ; $Matches['num']

August 4, 2016 at 1:49 pm

Hi Daniel,
I tried the regex you suggested on an event that contains the following "A message with sequence number 18 has been sent".
I need to assign the number '18' to a var.

I did that: (added square brackets)

PS C:\> $b -match 'sequence number ([?\d+])'
True

How should I pull the number?

August 4, 2016 at 2:02 pm

You've got two options to get the number. Please don't add a square bracket to the regular expression pattern because some characters have a special meaning. You can learn about regular expressions here: http://www.regular-expressions.info/

I hope that helps.

Update: Using a Gist instead of embedded code.

August 4, 2016 at 2:08 pm

Unfortunately the forum software removed some characters from the code I've embedded.

Please check below to see a valid example:

August 4, 2016 at 2:21 pm

why don't you want to split the spaces? Seems obvious in the sentence to do so.

Without regex it's as simple as

'one two 3 four'.split() | ? {$_ -as [int]}

August 4, 2016 at 3:41 pm

PS C:\> ($b -match "A message with sequence number ([?'num'\d++])")
True
PS C:\> ($b -match "A message with sequence number (?'num'\d++)")
parsing "A message with sequence number (?'num'\d++)" – Nested quantifier +.
At line:1 char:1
+ ($b -match "A message with sequence number (?'num'\d++)")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException

I got 2 Issues:
1) I tried the regex without the [] but I get the above error.
2) When I try with the [] and pipe $matches I get a wrong number '1' instead of '18'
PS C:\Users\oferg> [void]($b -match "A message with sequence number ([?'num'\d++])"); $Matches

Name Value
—- —–
1 1
0 A message with sequence number 1

Sorry for nagging or not getting the right picture.

August 4, 2016 at 3:45 pm

Hi Dan,
In my initial script I used split to spaces and picked the right position, but as I said the whole message has changed and added more words so I need a bullet proof to catch the number I need. The whole event log message has few number in it, I only need the on e that has the sentence prefixed I mentioned.

August 4, 2016 at 4:55 pm

Just the same only a tad longer.

("A message with sequence number 17 has been sent" -split 'sequence number ')[1].split() | ? {$_ -as [int]}

August 4, 2016 at 5:00 pm

Here with more text for demonstration. String manipulation doesn't have to be complicated.

$event = @"

this is my full message
A message with sequence number 17 has been sent
end message 
"@


($event -split 'sequence number ')[1].split() | ? {$_ -as [int]}

August 4, 2016 at 6:42 pm

Hi Dan,
That really helped thank you very much I appreciate this.
And thanks for all other here.

August 5, 2016 at 12:50 pm

What is the string you need to search through? Would this be an example: "sequence number [17]"?

I would go for regexp as suggested, but brackets and other characters have special meaning.

$String = "sequence number [17]"

if ($String -match "sequence number \[(\d+)\]") {
    Write-Host $Matches[1]
}

This will print the number 17. If you do not understand the above code you could read more about regexp here (as suggested): http://www.regular-expressions.info/