ReplacementStrings Property on event log objects

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Mike F Robbins Mike F Robbins 2 years, 7 months ago.

  • Author
    Posts
  • #15025
    Profile photo of Vern Anderson
    Vern Anderson
    Participant

    Does anyone know what ReplacementStrings are or what they can be used for?

    Example 8 in the help for Get-EventLog shows some output i you've never seen this.

    if anyone can provide more information I would appreciate it...Thanks

    -VERN

  • #15026
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Event log messages are basically localized template strings, with some data injected in. The data is in the form of the "ReplacementStrings" array. It's very much like PowerShell's format operator:

    "This is my format string.  Data point 1: {0}.  Data point 2: {1}" -f $dataPoints[0], $dataPoints[1]
    

    By accessing the ReplacementStrings array directly, you avoid the need to try to parse the Message field (which can be a pain, particularly if you have localized messages in a different language at runtime.) Get-WinEvent gives you objects with the same information, but the property is called Properties instead of ReplacementStrings.

  • #15030
    Profile photo of Vern Anderson
    Vern Anderson
    Participant

    Wow how did I just now find out about this...LOL

    Thanks Dave!

  • #15072
    Profile photo of Mike F Robbins
    Mike F Robbins
    Participant

    I use the Properties array from Get-WinEvent (that Dave referenced) in a function to determine what device is locking out user accounts. Here's a blog I wrote about that, if you're interested in it. I've also found that sometimes certain information may exist in the ReplacementStrings array of Get-EventLog and not necessarily in the Properties array of Get-WinEvent and vice-versa so if you don't find what you're looking for in one, try the other one (I wrote about some specific examples of this in my chapter in the PowerShell Deep Dives book).

You must be logged in to reply to this topic.