Parsing event log message data

Tagged: ,

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Bob McCoy Bob McCoy 1 year, 9 months ago.

  • Author
    Posts
  • #29019
    Profile photo of Marty
    Marty
    Participant

    After running the code below:

    $xml = [xml](Get-Content Y:\SCOMLast24Hrs.xml)

    $eventXML = [xml](Get-WinEvent -FilterXml $xml -ComputerName servername -MaxEvents 1).ToXML()

    $eventXML.Event.EventData.Data[0]

    I get the needed data:

    p_StateChangeEventProcess — (BaseManagedEntityId=f2e7c97e-0f85-bf5e-e2c7-ec1aae440a8f), (EventOriginId=75a0ca4e-b722-453c-b6a0-e19899bfb1d3), (Monitor
    Id=f1baeb56-8cce-f8c7-79ae-d69796c9d926), (NewHealthState=3), (OldHealthState=1), (TimeGenerated=8/26/2015 5:50:17 PM), (Context=), (RETURN_VALUE=0)

    However, I would like to further parse the returned data. I would like to pull out the name=value pairs from with each set of parentheses separated by a comma, but haven't quite gotten what I want.

    Regex? ConvertFrom-String? Something else?

    I will the convert the GUID in human readable strings using the SCOM shell commands.

    Thanks,
    Marty

  • #29021
    Profile photo of Bob McCoy
    Bob McCoy
    Participant

    Well this is a partial because I'm not really sure what you want for an output. So in the sample code I separate the field name from the data with a couple of dots. There are all sorts of things you could do here (like creating objects) depending on the downstream consumer. And yes, this is based on a RegEx pattern match.

    $rawData = "p_StateChangeEventProcess — (BaseManagedEntityId=f2e7c97e-0f85-bf5e-e2c7-ec1aae440a8f), (EventOriginId=75a0ca4e-b722-453c-b6a0-e19899bfb1d3), (MonitorId=f1baeb56-8cce-f8c7-79ae-d69796c9d926), (NewHealthState=3), (OldHealthState=1), (TimeGenerated=8/26/2015 5:50:17 PM), (Context=), (RETURN_VALUE=0)"
    $data = $rawData -split ", "
    $pattern =[regex]"\((.+?)=(.*?)\)"
    foreach ($item in $data)
    {
        if ($item -match $pattern)
        {
            "$($Matches[1]) .. $($Matches[2])"
        }
    }
    
  • #29023
    Profile photo of Marty
    Marty
    Participant

    Series tied at 3 games apiece. Down by three. Bottom of the 9th. Bases loaded. Two outs. Full count. ........ Walk off grand slam. The fans go wild. You da' man.

    Exactly what I needed. I wanted to use the data on the left hand side of the equal sign as the property name and on the right hand side of the equal sign as the property value.

    And translate the GUIDs to something readable by humans. I got that part. I can use the SCOM PowerShell commands to translate.

    Thanks,
    Marty

  • #29027
    Profile photo of Bob McCoy
    Bob McCoy
    Participant

    Thanks. Glad that worked for you. You could still do all sort of things with it according to your needs For instance to create a hash table ...

    $event = @{}
    foreach ($item in $data)
    {
        if ($item -match $pattern)
        {
            $event.Add($($Matches[1]),$($Matches[2]))
        }
    }
    

    PowerShell is the coolest. PowerShell plus RegEx is unbeatable when it comes to text manipulation. Enjoy!

You must be logged in to reply to this topic.