searching a log in powershell

Question

I'm trying to use powershell to search a log for a particular string - and then use a particular section of a line that has that string.

The log lines I'm interested in look something like this:

2019-02-25 11:51:37.394 field1=data|field2=data|field3=data|field4=data|field5=data

I can get returns of those lines just fine - but i then need to extract the data from one of those fields to use for another search. I'm stuck there. how do i extract the data from a particular "field" (fields seperated by | and the data seperated from fieldname by =)?

$dir = "path\to\workingdir"
$file = "logfilename"
$str2 = "eventType=59"

$out = (Get-Content $dir\$file | Select-String -Pattern $str2 |out-string)

I need to extract and use the data in field 3 for another search of the log. Anything I've tried just seems to return everything that i get in $out. I can't seem to get "split" or "indexof" to work properly (at all)....though I'm not even sure if that's what i should be trying to use.

score 0 · Accepted Answer · answered Feb 25 '19 at 17:48

0

once you have the string with the fields in it, you can use the .Split() method to grab the items. something like this ...

'field1=data1|field2=data2|field3=data3|field4=data4|field5=data5'.Split('|')[2].Split('=')[1]

... will give you this ...

data3

answered Feb 25 '19 at 17:48

Lee_Dailey

7,292
2
22
26

That makes me think I'm doing my original search wrong...$out returns ALL lines with my search, so when i try that split i get a numeric value (like a count?) instead of the data I want. Do i need to put the original search into some sort of array or hash table and then cycle through that? – Josh Nelson Feb 25 '19 at 17:57
you need to get JUST that line for the split i used to work. there are other ways to get the result - regex can handle the entire block of text, for instance. however, that requires a good deal more info about what the blob of text will contain. [*grin*] – Lee_Dailey Feb 25 '19 at 18:01

score 0 · Answer 2 · answered Feb 25 '19 at 18:36

First of all you'll want to separate your log message from the timestamp:

$line = '2019-02-25 11:51:37.394 field1=data|field2=data|field3=data|...'
$date, $time, $msg = $line.Split(' ', 3)

e.g. like this, when you're processing a logfile:

Get-Content "${dir}\${file}" | ForEach-Object {
    $date, $time, $msg = $_.Split(' ', 3)
    # ...
}

With the timestamp out of the way you can process just the message by splitting at the delimiters:

$msg.Split('|') | ForEach-Object {
    $name, $value = $_.Split('=', 2)
}

Depending on your actual use case you could use the above for turning the log message into a hashtable

$data = @{}
$msg.Split('|') | ForEach-Object {
    $name, $value = $_.Split('=', 2)
    $data[$name] = $value
}

and then use that hashtable for further processing, e.g.

if ($data['eventType'] -eq '59') {
    # do some
} else {
    # do other
}

thanks. This is probably a bit more methodical than i need at the moment but cleaning up/separating the log will be handy in the future. I ended up using the .split in Lee_Dailey's solution. — Josh Nelson, Feb 25 '19 at 21:31

searching a log in powershell

2 Answers2