Hi again,

I have created a simple script to check through the event logs of a server for a specific event.  I know i will be able to use this on a list of severs which is fine, and I know i can output this to csv which is also fine.

Gwmi Win32_NTLogEvent -comp server01 -filter "Eventcode=20491" | ft -prop computername,message

My problem is that the message field in the event logs can sometimes contain quite a few lines of text.  in all my attempts to caoture the information i need i find that the output of the message field is limited and only displays the first 60 characters.  Is there a way to increase this because I need the entire contents of the message field?  i have tried using -auto and that does not seem to help.

I bet this is an easy one, but after a day of trying stuff and googling i'm stumped.

Any suggestions would be great.

Thanks

Lee

Hal

Thanks for the help. You were absolutely right, I could use the -wrap command or output to a CSV and this did fix the problem with the limitation. The problem then became that the message field in the events I am filtering for have got returns in which caused either a csv or log file (depending on what I output to) to wrap around and not display the whole field in a continuous line 9i do hope that makes sense).

The code I used following your suggestion was:


Gwmi Win32_NTLogEvent -comp srv01 -filter "Eventcode=20491" | select -prop computername,message | export-csv -Path c:\events.csv


Although I want to still find a solution to this problem using Powershell I was able to use Logparser in a FOR loop to achieve my aim. Encase anyone is interested the code for that was:

FOR /f %i in (c:\server.txt) do @LogParser.exe -i:EVT -o:CSV "SELECT computername,message FROM \\%i\application WHERE eventid= '20491'" >>c:\events.log

Again, thanks for the suggestion and keep up the great work on the podcast. I'm catching up but I'm on episode 14 at the moment so a little way to go yet. Each episode gets better and you guys really explain thing well.

Regards

Lee

Hal

I'm still having difficulty with removing the CR's from the message field when extracting data from event logs.  I used the following to practice on my local eventlogs, but I just get a blank csv.

Gwmi Win32_NTLogEvent -comp . -filter "Eventcode=35" | select -prop computername,message | foreach-object { $_.message = $_.message -replace "`n", " " } | export-csv d:\test.csv

Do you have any other ideas how I might accomplish this using Powershell rather than LogParser?

Thanks

Lee

Try to change the foreach to:

... | foreach-object { $_.message = $_.message -replace "`n", " " ;  $_.message }

If it doesn't work try this:

Gwmi Win32_NTLogEvent -comp . -filter "Eventcode=35" | select computername,@{n="message";e={$_.message.replace("`n","")}} | export-csv d:\test.csv