ReplacementStrings Property on event log objects

This topic contains 3 replies, has 3 voices, and was last updated by  Mike F Robbins 3 years, 4 months ago.

  • Author
    Posts
  • #15025

    Vern Anderson
    Participant

    Does anyone know what ReplacementStrings are or what they can be used for?

    Example 8 in the help for Get-EventLog shows some output i you've never seen this.

    if anyone can provide more information I would appreciate it...Thanks

    -VERN

  • #15026

    Dave Wyatt
    Moderator

    Event log messages are basically localized template strings, with some data injected in. The data is in the form of the "ReplacementStrings" array. It's very much like PowerShell's format operator:

    "This is my format string.  Data point 1: {0}.  Data point 2: {1}" -f $dataPoints[0], $dataPoints[1]
    

    By accessing the ReplacementStrings array directly, you avoid the need to try to parse the Message field (which can be a pain, particularly if you have localized messages in a different language at runtime.) Get-WinEvent gives you objects with the same information, but the property is called Properties instead of ReplacementStrings.

  • #15030

    Vern Anderson
    Participant

    Wow how did I just now find out about this...LOL

    Thanks Dave!

  • #15072

    Mike F Robbins
    Participant

    I use the Properties array from Get-WinEvent (that Dave referenced) in a function to determine what device is locking out user accounts. Here's a blog I wrote about that, if you're interested in it. I've also found that sometimes certain information may exist in the ReplacementStrings array of Get-EventLog and not necessarily in the Properties array of Get-WinEvent and vice-versa so if you don't find what you're looking for in one, try the other one (I wrote about some specific examples of this in my chapter in the PowerShell Deep Dives book).

You must be logged in to reply to this topic.