Selecting a sub-property in PowerShell

Question

I have a long list of objects in PowerShell (more specifically, a list of Windows events from the Get-EventLog cmdlet) that I want to filter out to find who accessed my machine. I used the following:

Get-EventLog -LogName Security -InstanceId 4672 | Select-Object -Property TimeGenerated, ReplacementStrings[1]

But the output looks like:

TimeGenerated        ReplacementStrings[1]
-------------        ---------------------
6/17/2018 2:28:33 PM
6/17/2018 2:28:33 PM
6/17/2018 2:28:33 PM
6/17/2018 2:28:33 PM
6/17/2018 2:28:33 PM
...

I have no output at all the right column.

If I remove the [1] from ReplacementString:

TimeGenerated        ReplacementStrings
-------------        ------------------
6/17/2018 2:28:33 PM {S-1-2-3-4, Username1, blablabla...}
6/17/2018 2:28:33 PM {S-1-2-3-4, Username2, blablabla...}
6/17/2018 2:28:33 PM {S-1-2-3-4, Username2, blablabla...}
6/17/2018 2:28:33 PM {S-1-2-3-4, Username1, blablabla...}
6/17/2018 2:28:33 PM {S-1-2-3-4, Username3, blablabla...}
...

I want only the username field from ReplacementStrings.

I could use a foreach loop and manually concentrate to one string, but I want to keep the items as objects for later use, so this is not an option for me.

score 10 · Accepted Answer · edited Jun 17 '18 at 15:40

10

Use a calculated property:

Get-WinEvent ... |
  Select-Object -Property TimeGenerated,
                          @{Name='Username'; Expression={$_.ReplacementStrings[1]}}

edited Jun 17 '18 at 15:40

mklement0

382,024
64
607
775

answered Jun 17 '18 at 11:56

Mathias R. Jessen

157,619
12
148
206

Selecting a sub-property in PowerShell

1 Answers1