I am missing something here - Pipeline Behaviour?

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Andrew Andrew 3 months, 3 weeks ago.

  • Author
    Posts
  • #51013
    Profile photo of Andrew
    Andrew
    Participant

    I am missing something obvious here I think? If I use $events.message I get the content of the message field for each event, if I try and use use it in the pipeline below I get no content from the message field when outputting to FT? Is this pipeline behaviour?

    $events=Get-WinEvent -LogName 'Symantec Endpoint Protection Client'

    $events | Where-Object {$_.id -eq 51} | ft @{n='datetime'; e={$_.timecreated}}, @{n='machinename'; e={$_.machinename}}, @{n='Eventid'; e={$_.id}},@{n='Level';e={$_.leveldisplayname}},message

    datetime machinename Eventid Level Message
    ——– ———– ——- —– ——-
    20/07/2016 7:32:02 AM IT1234 51 Error ...

    TypeName: System.Diagnostics.Eventing.Reader.EventLogRecord

    Message NoteProperty string Message= ...

    • This topic was modified 3 months, 3 weeks ago by Profile photo of Andrew Andrew.
  • #51042
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Your code works fine when I ran it against the Windows PowerShell log. Could be something weird with the Symantec log. re you running this as admin?

  • #51046
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    It's because the Message has a couple of blank lines at the top and you are not using Wrap in your table.

    Try this

    $events=Get-WinEvent -LogName 'Symantec Endpoint Protection Client'
    
    $events | Where-Object {$_.id -eq 51} | ft @{n='datetime'; e={$_.timecreated}}, @{n='machinename'; e={$_.machinename}}, @{n='Eventid'; e={$_.id}}, @{n='Level';e={$_.leveldisplayname}}, message -wrap:$true
    

    or if you would like to get rid of the white space

    With wrap

    $events=Get-WinEvent -LogName 'Symantec Endpoint Protection Client'
    
    $events | Where-Object {$_.id -eq 51} | FT @{n='datetime'; e={$_.timecreated}}, @{n='machinename'; e={$_.machinename}}, @{n='Eventid'; e={$_.id}},@{n='Level';e={$_.leveldisplayname}}, @{n='message'; e={$_.message.trim()}} -wrap:$true
    

    or without wrap

    $events=Get-WinEvent -LogName 'Symantec Endpoint Protection Client'
    
    $events | Where-Object {$_.id -eq 51} | FT @{n='datetime'; e={$_.timecreated}}, @{n='machinename'; e={$_.machinename}}, @{n='Eventid'; e={$_.id}},@{n='Level';e={$_.leveldisplayname}}, @{n='message'; e={$_.message.trim()}}
    
    • This reply was modified 3 months, 3 weeks ago by Profile photo of Curtis Smith Curtis Smith.
  • #51049
    Profile photo of Andrew
    Andrew
    Participant

    Thanks Curtis – all good, just tested both your changes – excellent

You must be logged in to reply to this topic.