Windows – Finding the most common errors in event logs using Powershell.

analysispowershellwindowswindows-event-log

I have the event logs for one of our servers locally in .evtx format. I can load the log file into PS using the command:

Get-WinEvent -Path D:\Desktop\serverlogs.evtx

What I would like to do is on the Message field group events where the text matches by a certain percent (say 80% the same). As we have stacktraces for errors in the details which will be the same, but we also log the client's IP, url that was accessed which will likely be different.

I want to group them so that I can work out the most common errors to prioritize fixing them and as there are 25,000+ errors in the log file I would rather not do it manually.

I think I can work out how to do most of this, but am not sure how I could do the 'group fields which are mostly the same' part, does powershell have anything like this built in?

Best Answer

First, you want to filter out as much as you can because the next step uses the Where-Object cmdlet, which can be slow for this sort of thing (unfortunately, it doesn't look like any of the arguments for Get-WinEvent support wildcards for the Message property of an event).

For example, get just the "error" level events:

$events = Get-WinEvent -FilterHashTable @{ Path="D:\Desktop\serverlogs.evtx";Level=2 }

Then, you can use -match or -like to further filter down to the ones that have similar text:

$events = $events | ?{ $_.Message -match "your similar error here" }

Now that you have narrowed down the list, you can pipe the results to the Group-Object cmdlet, specifying that you want to group them on the "Message" property of the event:

$events | Group-Object -Property Message
Related Topic