Author Posts

January 1, 2012 at 12:00 am

by maryk at 2013-01-09 13:11:33

Hi
I have a one liner that I am using to get specific event logs. See below

Get-EventLog -LogName APPLICATION | Where-Object { $_.EventID -eq 33 -and $_.EntryType -eq "warning" } | select ReplacementStrings

The output is as follows:

{Database1, [MBX:Smith, Jr., Mike][Inbox], 1eb0-142C94F, 1eb0-142C954, 1-1E78FAB5}
{Database1, [MBX:Smith, Jr., Mike][Calendar], EFb0-142C94F, 1eb0-142C953, 1-1E78FHB5}
{Database1, [MBX:Smith, Jr., Mike][Sent Items], DBb0-134C94F, 1eb0-142B954, 1-1E78FAB5}
{Database45, [MBX:Mary, Jane][Deleted Items], Eeb0-142C94F, 1eb0-142C94, 1-1E78FAB5}

How can I manipulate ReplacementStrings to only output Smith, Jr., Mike and Mary, Jane? In other words, I only need to output the displayname (e.g Smith, Jr., Mike) from inside [MBX:Smith, Jr., Mike] from each line?

Thanks

by DonJ at 2013-01-09 13:29:28

You won't be able to easily do this in a one-liner. You'll have to write a capturing regular expression, which basically means grabbing all of those strings, enumerating through them, and performing your regex. PowerShell doesn't excel at that kind of string manipulation, at least not using built-in commands or operators, but it can be done with a regex.

by nohandle at 2013-01-10 03:36:43

[quote="DonJ"]You won't be able to easily do this in a one-liner.[/quote]
It depends on what you consider easy 🙂 This does not look so complicated, most of the lines are selecting the right properties.
Get-EventLog -LogName APPLICATION |
Where-Object { ($_.EventID -eq 33) -and ($_.EntryType -eq "warning") } |
Select-Object -Property ReplacementStrings |
select-string -Pattern '(?< =\[MBX])' |
Select-Object -ExpandProperty matches |
Select-Object -Property value

Maryk: Try if this works for you. If not let me know how it fails, please.

by DonJ at 2013-01-10 08:04:12

Yeah, I wouldn't call that "easy" in terms of mentally parsing it. There's times when shifting to a script approach can make something easier to read :).

by nohandle at 2013-01-10 08:14:49

[quote="DonJ"]Yeah, I wouldn't call that "easy" in terms of mentally parsing it. There's times when shifting to a script approach can make something easier to read ] No doubt about that.:) Just showing it is possible and not that hard to do.

by maryk at 2013-01-10 08:53:28

Jakub Jareš
Your approach does not give me any output.

by nohandle at 2013-01-10 09:08:44

That is odd. The data are probably in different format. What if you take your original script and put -first 1 | gm on the end? What do you get?

by maryk at 2013-01-10 09:24:54

Here is what I get:

TypeName: Selected.System.Diagnostics.EventLogEntry

Name MemberType Definition
—- ———- ———-
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
ReplacementStrings NoteProperty System.String[] ReplacementStrings=System.String[]

by maryk at 2013-01-10 11:25:15

Here is another thing. If I do:

Get-EventLog -LogName APPLICATION | Where-Object { ($_.EventID -eq 10033) -and ($_.EntryType -eq"warning") } | Select-Object -Property ReplacementStrings | Out-File c:\output.txt

Then:

Gc c:\output.txt | select-string -Pattern '(?< =\[MBX])' | foreach {$_.matches}| select value I get the results I need. What gives?

by nohandle at 2013-01-11 02:30:48

Sorry I assumed wrongly the input data are String but they were array of strings, expanding the Replacement strings should fix it.
Get-EventLog -LogName APPLICATION |
Where-Object { ($_.EventID -eq 33) -and ($_.EntryType -eq "warning") } |
Select-Object -ExpandProperty ReplacementStrings |
select-string -Pattern '(?< =\[MBX])' |
Select-Object -ExpandProperty matches |
Select-Object -Property value

As Don pointed out, rewriting this in less one-liner manner is a good idea 🙂