How to get application for application event log

Question

I have some servers that are commonly having error 1000s. I want to find if it's the same application all the time, or if it's different applications. I am using this:

Get-EventLog application 1000 -entrytype error -newest 10 | select timegenerated,message | Export-Csv errors.csv

and the output shows the application name (specifically the exe file) as part of the multi-line message field.

I have not been able to figure out how to extract just the application name from the output.

Piping the output to Get-Member makes it look like the message field is an array, but I cannot figure out how to extract that part of the array at this point.

Get-EventLog application 1000 -entrytype error -newest 10 | %{$_.machinename,$_.timegenerated,$_.ReplacementStrings[0]}

This gives me the output I want, except it's generated over three lines, and Export-CSV doesn't want to parse it properly. How can I get them all on one line?

Check my latest update – Mark Henderson Jan 14 '14 at 00:12 — Mark Henderson, Jan 14 '14 at 00:12

Mark Henderson · Accepted Answer · 2014-01-14T03:21:25.167

It's probably not going to be accurate for all event types, but the property ReplacementStrings is an array where the first element is the name of the executable when looking at InstanceID 1000:

> Get-EventLog application 1000 -entrytype error -newest 10 | %{$_.ReplacementStrings[0]}
Ssms.exe
Ssms.exe
Ssms.exe
uniStudio.exe
SwyxIt!.exe
Ssms.exe
uniRTE.exe
uniStudio.exe
Ssms.exe
Ssms.exe

My PS-foo is weak at this time of the morning, but I'm sure there's a way to combine that with your select command and thus export them into your CSV.

As per your update; this will get you the output you need in a table format. I don't know how well it will play with export-csv though:

Get-EventLog application 1000 -entrytype error -newest 10|Format-Table @{Expression={$_.machinename};Label="Machine Name";width=25},@{Expression={$_.timegenerated.DateTime};Label="DateTime";width=25},@{Expression={$_.ReplacementStrings[0]};Label="EXEName";width=25}

Never mind; I went way too complicated in my last update. This should work just fine (I knew I'd be better later in the day):

> Get-EventLog application 1000 -entrytype error -newest 10|Select-Object  timegenerated,message,@{name='Executable';expression={$_.ReplacementStrings[0]}}|Export-CSV errors.csv


TimeGenerated                           Message                                 Executable
-------------                           -------                                 ----------
14/01/2014 7:23:13 AM                   Faulting application name: Ssms.exe,... Ssms.exe
13/01/2014 7:26:44 AM                   Faulting application name: Ssms.exe,... Ssms.exe
10/01/2014 7:30:24 AM                   Faulting application name: Ssms.exe,... Ssms.exe
8/01/2014 5:25:13 PM                    The description for Event ID '1000' ... uniStudio.exe
31/12/2013 3:09:58 PM                   The description for Event ID '1000' ... SwyxIt!.exe
19/12/2013 7:35:21 AM                   Faulting application name: Ssms.exe,... Ssms.exe
18/12/2013 2:55:45 PM                   Faulting application name: uniRTE.ex... uniRTE.exe
18/12/2013 9:25:49 AM                   The description for Event ID '1000' ... uniStudio.exe
18/12/2013 7:32:29 AM                   Faulting application name: Ssms.exe,... Ssms.exe
16/12/2013 1:22:38 PM                   Faulting application name: Ssms.exe,... Ssms.exe

if you replace `{...}` with `@{name='Executable';expression={$_.ReplacementStrings[0]}}`, you get a friendlier property name. — charleswj81, Jan 14 '14 at 03:05
@charleswj81 - you certainly do; I have updated my code snippet — Mark Henderson, Jan 14 '14 at 03:21

How to get application for application event log

1 Answers1