Grouping on part of Windows Event message text

Welcome Forums General PowerShell Q&A Grouping on part of Windows Event message text

This topic contains 3 replies, has 4 voices, and was last updated by

 
Participant
4 days, 10 hours ago.

  • Author
    Posts
  • #134456

    Participant
    Points: 11
    Rank: Member

    Hello. Is it possible to group by part of the message content of Windows events?

    Basically I would like to group on a certain property (Image) which is located in the event message of a number of Sysmon events. I tried using regex to group by 'Image (.*)\s' but that did not work as below:

    Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational'} | group {$_.Message -like '*Image: (.*)\s*'}
    

    Is there a way that I can I group on all combinations of "Image: " which are located in the event's message?

     

     

  • #134463

    Moderator
    Points: 121
    Team MemberHelping Hand
    Rank: Participant

    Might be worth mentioning – like isn't quite Regex. You seem to have a bit of a mix of regex and wildcard there – -like accepts '*' as a wildcard character. You could try using "-match '.*Image: (.*)\s*'", which may work?

  • #134507
    js

    Participant
    Points: 442
    Helping Hand
    Rank: Contributor
  • #134865

    Participant
    Points: 200
    Helping Hand
    Rank: Participant

    I would first filter events with Where-Object and then the grouping would be easier to do

    Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational'} |
        Where-Object Message -Match '.*Image: (.*)\s.*' |
        Group-Object -Property Message
    

You must be logged in to reply to this topic.