Grouping on part of Windows Event message text

Welcome Forums General PowerShell Q&A Grouping on part of Windows Event message text

This topic contains 3 replies, has 4 voices, and was last updated by

 
Participant
3 months ago.

  • Author
    Posts
  • #134456

    Participant
    Points: 11
    Rank: Member

    Hello. Is it possible to group by part of the message content of Windows events?

    Basically I would like to group on a certain property (Image) which is located in the event message of a number of Sysmon events. I tried using regex to group by 'Image (.*)\s' but that did not work as below:

    Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational'} | group {$_.Message -like '*Image: (.*)\s*'}
    

    Is there a way that I can I group on all combinations of "Image: " which are located in the event's message?

     

     

  • #134463

    Moderator
    Points: 204
    Team MemberHelping Hand
    Rank: Participant

    Might be worth mentioning – like isn't quite Regex. You seem to have a bit of a mix of regex and wildcard there – -like accepts '*' as a wildcard character. You could try using "-match '.*Image: (.*)\s*'", which may work?

  • #134507
    js

    Participant
    Points: 968
    Helping Hand
    Rank: Major Contributor
  • #134865

    Participant
    Points: 343
    Helping Hand
    Rank: Contributor

    I would first filter events with Where-Object and then the grouping would be easier to do

    Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational'} |
        Where-Object Message -Match '.*Image: (.*)\s.*' |
        Group-Object -Property Message
    

The topic ‘Grouping on part of Windows Event message text’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort