How to filter windows event log with wildcard?

Question

According to the document here, the asterisk wildcard is supported and hence it should work in eg.

*[EventData[Data[@Name='TargetUserName'] ='User1*']]

but I cannot get any wildcard filter to work - has anyone been able to do this?

score 12 · Answer 1 · answered Mar 24 '17 at 12:38

12

Use Powershell

Get-EventLog -LogName "System" | ?{$_.Message -like "*YourSearchString*"} | Out-GridView

answered Mar 24 '17 at 12:38

ult

121
1
2

score 4 · Accepted Answer · answered Jan 18 '17 at 14:32

4

The XPath selector must begin with *, however you cannot use * to filter fields as Xpath 1.0 has no contains operator.

https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

XPath 1.0 Limitations: Windows Event Log supports a subset of XPath 1.0. There are limitations to what functions work in the query. For instance, you can use the position, Band, and timediff functions within the query but other functions like starts-with and contains are not currently supported.

answered Jan 18 '17 at 14:32

Clayton

4,483
16
24

1

Ok, so you're saying that '*' support is intended only for the Node Names and not for values? I know that 'starts-with' and 'contains' are not supported – A_L Jan 18 '17 at 14:50
Correct ________ – Clayton Jan 18 '17 at 16:03

How to filter windows event log with wildcard?

2 Answers2

Linked