'Event viewer log files save as XML' saves only 305 records

Question

I have 1450 event logs in my event viewer.

When I filter it using dates, say from Aug 25 2014 to Aug 31 2014, it gets reduced to 774. When I try to save the log files as XML by selecting the 'Save event file as' and then selecting XML as file type, it saves only the last 305 records.

When I save it as csv, I can see all 774 events saved. When I try to save the complete list of 1450 as XML it saves all logs. The problem only occurs when a date filter is applied.

Any ideas?

Wow. I thought I was crazy. I'm trying to export 8,000 events as CSV. When I open the CSV file, it only has 305 records. Did anyone solve this riddle? — Michael Levy, Oct 19 '16 at 13:17

score 7 · Answer 1 · answered Apr 06 '18 at 18:58

7

There's a funny workaround:

Save All Events As... and save to .evtx
Open saved file
Save All Events As... and save to .csv / .xml ...

(source) At least, this works for me on Windows 10 x64 version 1709.

The issue itself is clearly a bug, you can vote for them to fix it on the Feedback Hub: for normal users, for insiders.

answered Apr 06 '18 at 18:58

Igor

1,359
19
34

1

What a stupid bug! The suggested workaround worked pretty fine! – jefferson.macedo Jan 17 '19 at 18:50
1

Bug still exists in May of 2020. How embarrassing. Workaround still works. – user1169420 May 16 '20 at 01:42
I only had 50 events when I saved an XPath filtered log. When I followed the workaround, I got 305 events. Better than before but not the 1225 events actually filtered. – user2871239 Sep 29 '21 at 13:52

score 0 · Answer 2 · answered Sep 02 '14 at 12:14

0

if you check the xml section in filter, we have something like

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(Level=2) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
  </Query>
</QueryList>

Basically this is the one applying the filter. can you check in those lines, whether your entries will be discarded if not?

answered Sep 02 '14 at 12:14

asb

781
2
5
23

Yes your are right, thats the one which applies to the filter, but there is nothing in the query which restricts the count of logs to be exported(when saving to xml) – Tony Thomas Sep 02 '14 at 14:01
Okay, in that case we will need to debug in steps. So can you post a small snippet of the full xml and the entry what you think is missing. we can try to figure out pattern on what is missing, like is it after 350 entries everything, anything of particular type and so on. I would use beyond compare on full and filtered xml to see what's missing first and identify a pattern. – asb Sep 07 '14 at 04:17
i guess the issue can be reproduced, if you've got more than 350 event entries in your log, just filter them by date, say from day before yesterday to today, and this filter result should output more than 350 event records, then try to save it as xml – Tony Thomas Sep 10 '14 at 12:33

'Event viewer log files save as XML' saves only 305 records

2 Answers2