Parsing event log message data

This topic contains 3 replies, has 2 voices, and was last updated by  Bob McCoy 2 years, 3 months ago.

  • Author
    Posts
  • #29019

    Marty
    Participant

    After running the code below:

    $xml = [xml](Get-Content Y:\SCOMLast24Hrs.xml)

    $eventXML = [xml](Get-WinEvent -FilterXml $xml -ComputerName servername -MaxEvents 1).ToXML()

    $eventXML.Event.EventData.Data[0]

    I get the needed data:

    p_StateChangeEventProcess — (BaseManagedEntityId=f2e7c97e-0f85-bf5e-e2c7-ec1aae440a8f), (EventOriginId=75a0ca4e-b722-453c-b6a0-e19899bfb1d3), (Monitor
    Id=f1baeb56-8cce-f8c7-79ae-d69796c9d926), (NewHealthState=3), (OldHealthState=1), (TimeGenerated=8/26/2015 5:50:17 PM), (Context=), (RETURN_VALUE=0)

    However, I would like to further parse the returned data. I would like to pull out the name=value pairs from with each set of parentheses separated by a comma, but haven't quite gotten what I want.

    Regex? ConvertFrom-String? Something else?

    I will the convert the GUID in human readable strings using the SCOM shell commands.

    Thanks,
    Marty

  • #29021

    Bob McCoy
    Participant

    Well this is a partial because I'm not really sure what you want for an output. So in the sample code I separate the field name from the data with a couple of dots. There are all sorts of things you could do here (like creating objects) depending on the downstream consumer. And yes, this is based on a RegEx pattern match.

    $rawData = "p_StateChangeEventProcess — (BaseManagedEntityId=f2e7c97e-0f85-bf5e-e2c7-ec1aae440a8f), (EventOriginId=75a0ca4e-b722-453c-b6a0-e19899bfb1d3), (MonitorId=f1baeb56-8cce-f8c7-79ae-d69796c9d926), (NewHealthState=3), (OldHealthState=1), (TimeGenerated=8/26/2015 5:50:17 PM), (Context=), (RETURN_VALUE=0)"
    $data = $rawData -split ", "
    $pattern =[regex]"\((.+?)=(.*?)\)"
    foreach ($item in $data)
    {
        if ($item -match $pattern)
        {
            "$($Matches[1]) .. $($Matches[2])"
        }
    }
    
  • #29023

    Marty
    Participant

    Series tied at 3 games apiece. Down by three. Bottom of the 9th. Bases loaded. Two outs. Full count. ........ Walk off grand slam. The fans go wild. You da' man.

    Exactly what I needed. I wanted to use the data on the left hand side of the equal sign as the property name and on the right hand side of the equal sign as the property value.

    And translate the GUIDs to something readable by humans. I got that part. I can use the SCOM PowerShell commands to translate.

    Thanks,
    Marty

  • #29027

    Bob McCoy
    Participant

    Thanks. Glad that worked for you. You could still do all sort of things with it according to your needs For instance to create a hash table ...

    $event = @{}
    foreach ($item in $data)
    {
        if ($item -match $pattern)
        {
            $event.Add($($Matches[1]),$($Matches[2]))
        }
    }
    

    PowerShell is the coolest. PowerShell plus RegEx is unbeatable when it comes to text manipulation. Enjoy!

You must be logged in to reply to this topic.