I'm using powershell to look at event logs using Get-WinEvent. For some reason, the ReplacementStrings attribute of the events won't show up for me. I'm very stumped on this because it seems to show up for everyone else on the internet. It will show up using Get-EventLog but not Get-WinEvent. Is there something I have to enable for this?
Asked
Active
Viewed 260 times
0
Joe Joe
- 1
1 Answers
1
I don't think Get-WinEvent returns a ReplacementStrings property. Instead replacement strings are return in another array property unfortunately called "Properties"
To demonstrate:
$MyEvent = Get-WinEvent -LogName application | Select-Object -First 1
$MyEvent.Properties
It shouldn't matter how you are filtering either. What I usually do is pull back a sample of the event(s) I'm interested in then examine the properties collection. If you want to flatten the object you can use Select-Object to add calculated properties that have the values of the interesting elements from properties collection.
$MyEvent =
Get-WinEvent -LogName application |
Select-Object *, @{Name = 'Property1'; Expression = { $_.Properties[0] }}
You would obviously want to add filtering otherwise the [0] element will be different for each event. Nevertheless, the above will add a property to the object named Property1 the value will be the from the first element in the properties collection.
Steven
- 6,817
- 1
- 14
- 14