Pro tip: Extend your event log search capabilities with PowerShell's Get-EventLog cmdlet

Greg Shultz explains how to use the Get-EventLog cmdlet in a script to search the event log for a particular term in an event error message.

Search Windows

In a recent article, "Simplify the Windows 8/7 Event Viewer by creating custom views," I showed you how to use the Create Custom View feature in Windows 7 and Windows 8.x to make easier to find information when you're seeking details on a specific problem.

As you'll remember, when you create custom view, the Filter panel only allows you to configure your search using very specify criteria, such as the Event Level, source, and Event ID, just to name a few. You'll also remember that while the Filter panel does contain a Keyword option, contrary to the common use of the term, you cannot enter in your own keywords. In this case, a keyword is a term that Microsoft uses to group or classify types of events, and there are a set number of available predetermined keywords (Figure A).

Figure A

Figure A

Keywords are terms that Microsoft uses to classify types of events.

Now, in most cases, being able to search through the event logs using the available criteria is sufficient, but there are times when it would be convenient to be able to search for keywords that appear in the error messages in the events. Since that type of search isn't available in Event Viewer, I turned to PowerShell's Get-EventLog cmdlet. Using this cmdlet will allow you to search for any keywords that appear in the error messages in the events.

In this article, I'll explain how the Get-EventLog cmdlet works. I'll then show you how to use the Get-EventLog cmdlet in a script to search the event log for a particular term in an event error message.

The Get-EventLog cmdlet

The Get-EventLog cmdlet is quite handy when it comes to getting at information buried in the Windows event logs. While many PowerShell aficionados would say that the Get-EventLog cmdlet has been replaced by the Get-WinEvent cmdlet, which was introduced to PowerShell 2.0, I tend to disagree. Yes, the Get-WinEvent cmdlet is probably the more powerful of the two, but using the Get-EventLog cmdlet is much more straightforward and, for the purpose of searching for specific keywords, it's more than sufficient.

If you're using the PowerShell ISE I described in another one of my previous posts, "Get into gear with new features in Windows 8.1's PowerShell ISE," you can find all of the details about the Get-EventLog cmdlet using the Commands add-on. However, for the purpose of this article and script, we'll only be using a fraction of its features. In fact, the following is the syntax of the parts of the Get-EventLog cmdlet that we'll be using:

Get-EventLog [-LogName] <String> [-After <DateTime>] [-Message <String>]

In this case, -LogName is a required parameter, and it's used to specify the name of the event log that we want to search through. The -After parameter is used to specify the date at which point we want to start searching through the event log. Of course, the -Message parameter is the central component of this script, because it allows you to specify the words or phrases contained in the event message that you want to search for. The -Message parameter also accepts wildcard characters to help fine-tune your search.

The rest of the commands in the script either deal with input or output, and rather than go over them individually, I'll cover them as I go over the script. Let's take a closer look.

The script

Of course, I created the script in PowerShell ISE (Figure B). As you can see, the script (which I named EventKeywordSearch.ps1) is very short -- only eight lines. The color coding of the various cmdlets makes it easy to visually break down the script into its components. (By the way, PowerShell ISE 3/4 allows you complete customization of the color codes via the Colors and Fonts tab of the Options dialog box, which is accessible from the Tools menu.)

Figure B

Figure B

The EventKeywordSearch.ps1 is only eight lines long.

The first line in the script uses Write-Host cmdlet to create a blank line as a means of adding some visual space in the Console pane before beginning with the first prompt.

Write-Host " "

The next four lines use the Read-Host cmdlet to prompt the user for the required information and then assigns those responses to a set of variables.

$HTMLFile = Read-Host "Specify the path and HTML file name that you would like to create for the output "

$EventLog = Read-Host "Specify the Event Log that you would like to search "

$StartDate = Read-Host "Specify the Start Date from which you would like to search (MM/DD/YYYY) "

$SearchString = Read-Host "Specify the string that you would like to search for (Use '*' at the beginning and end of the string: *Action*) "

The sixth line runs the Get-EventLog cmdlet, along with the parameters I described earlier, and using three of the four variables filled in by the previous prompts. It then assigns the results of the search to the $FoundIt variable.

$FoundIt = Get-EventLog -Logname $EventLog -After $StartDate -Message $SearchString

The seventh line employs several cmdlets to format and save the result in HTML format for easy display. To do so, the contents of the $FoundIt variable are piped into the ConvertTo-Html cmdlet, which -- as the name implies -- converts the results into HTML that can be displayed in a web browser. The Set-Content cmdlet then saves the file in HTML format in the location and with the name specified in the $HTMLFile variable.

$FoundIt | ConvertTo-Html | Set-Content $HTMLFile

Finally, the eighth line uses the Invoke-Expression cmdlet to load the HTML file in the default browser.

Invoke-Expression $HTMLfile

You can download the script here. Keep in mind that the script is saved as a .txt file to avoid problems with antivirus software. Once you download and extract the script, just rename it with the .ps1 extension.

Running the script

Running the script is easy from within the PowerShell ISE. Just click the RunScript button or press [F5] (Figure C). As you can see, I'm searching the Application event log for messages containing the keyword *vss* enclosed in wildcard characters. I'm looking for any events that have to do with the Volume Shadow Copy Service (VSS).

Figure C

Figure C

Running the script from within the PowerShell ISE is easy.

The script will take a little while to run, but when it's finished, it will then display the results in a browser window (Figure D).

Figure D

Figure D

The results are displayed in the browser.

As you can see, I discovered that there were two types of events that contained the keyword vss.

What's your take?

Have you wished that you could search Windows event logs using a keyword in the message? Do you think that this script will come in handy in your troubleshooting expeditions? As always, if you have comments or information to share about this topic, please take a moment to join the discussion thread below.


Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.


Editor's Picks