0

I am trying to format a command that searches the Event Logs on the server for a particular string, but I want it to search for Critical, Warning, and Error logs entries.

Right now, I only know how to make it search one error type or the other, for example like this:

Get-EventLog -LogName Application -EntryType Error -Message *STRING* -Newest 5 |
Format-List

This below isn't working but is along the lines of what I'm trying to do:

Get-EventLog -LogName Application | 
Where {$_.EntryType Error -or $_.EntryType Warning -or $_.EntryType Crital} -and -Message *STRING* -Newest 5 | 
Format-List

This doesn't work and not being very adept at Powershell I'm not quite sure how I should be formatting this command. Other OR statements I've found examples of use IF, but I don't see why I need an IF statement in my case.

Improve this question

2 Answers 2

Reset to default
2

There are multiple syntax errors.

Get-EventLog -LogName Application | ? {$_.EntryType -eq "Error" -or $_.EntryType -q "Warning" -or $_.EntryType -eq "Crital" } | select -First 5 | fl

So what's changed? Mostly you've missed underscore and evaluation operators like so, $.EntryType Error -> $_.EntryType -eq "Error". In addition, by using -Newest 5 you read only the top 5 entries from event log whether they match the filter or not. By using select -First 5 the five first matches are picked.

If you want to include filtering with message string, add it with some parenthesis like so,

Get-EventLog -LogName Application | ? { ($_.EntryType -eq "Error" -or $_.EntryType -q "Warning" -or $_.EntryType -eq "Crital") -and $_.Message -like "SEARCHTERM" | select -First 5 | fl
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You don't need to (and should not) use a where-object to filter this. The EntryType parameter on Get-EventLog takes an array of values, so you can pass multiple entry types to that cmdlet and do the filtering there. Filter as close to the source as you possibly can, for memory & performance reasons (especially over a network connection).

Get-EventLog -LogName Application -EntryType Error,Critical,Warning -Message *STRING* -erroraction silentlycontinue -Newest 5 | Format-List

I had to add the -erroraction silentlycontinue because if there are no entries of one or more types, it will throw an error. You could also use a try/catch to capture the error.

Improve this answer

1 Comment

Ah thank you! I was also incorrect there is no Critical type or errors (that causes an error in running the command), so the final command that works well is: Get-EventLog -LogName Application -EntryType Error,Warning -Message STRING -erroraction silentlycontinue -Newest 5 | Format-List

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.