Author Posts

May 5, 2014 at 10:15 am

Does anyone know what ReplacementStrings are or what they can be used for?

Example 8 in the help for Get-EventLog shows some output i you've never seen this.

if anyone can provide more information I would appreciate it...Thanks

-VERN

May 5, 2014 at 10:24 am

Event log messages are basically localized template strings, with some data injected in. The data is in the form of the "ReplacementStrings" array. It's very much like PowerShell's format operator:

"This is my format string.  Data point 1: {0}.  Data point 2: {1}" -f $dataPoints[0], $dataPoints[1]

By accessing the ReplacementStrings array directly, you avoid the need to try to parse the Message field (which can be a pain, particularly if you have localized messages in a different language at runtime.) Get-WinEvent gives you objects with the same information, but the property is called Properties instead of ReplacementStrings.

May 5, 2014 at 12:18 pm

Wow how did I just now find out about this...LOL

Thanks Dave!

May 6, 2014 at 10:43 am

I use the Properties array from Get-WinEvent (that Dave referenced) in a function to determine what device is locking out user accounts. Here's a blog I wrote about that, if you're interested in it. I've also found that sometimes certain information may exist in the ReplacementStrings array of Get-EventLog and not necessarily in the Properties array of Get-WinEvent and vice-versa so if you don't find what you're looking for in one, try the other one (I wrote about some specific examples of this in my chapter in the PowerShell Deep Dives book).