I recently stumbled upon a great post by David Muegge titled “Log Parser and PowerShell - Part II”. David does a great job of wrapping PowerShell around Log Parser. I highly recommend that you take a look at his blog post. I was looking at his functions and decided that I should give them a try against some production data. I decided to look at failed login attempts (we have had an issue with an particular application).
What I was looking for was a count of failed logins (from the Strings property). The following code assumes that you are using David’s Library.
$query = "SELECT Strings FROM '\\XX-P01\Security' WHERE EventID = 529"
$inputformat = Get-LPInputFormat "evt"
$records = Get-LPRecordSet $query $inputformat
Add-Member -name "User" `
-memberType ScriptProperty -force -passThru `
Group-Object User -noElement `
Sort-Object -descending Count `
Select-Object -first 10
In order to get exactly what I wanted, I added a new property to this object: "User"
In order to do this, I needed to parse the Strings property of my $Records object for everything before the first pipe.
$this.Strings.substring(0,$this.Strings.indexof("")) achieves the desired value.
This gives us:
Just what I was looking for!