How to search event logs for event id =1

system · February 4, 2010, 6:23pm

(imported topic written by ktm_200091)

Hi all,

I’m running into an issue where I think a patch caused an issue with nvida display drivers. I’ve got a bunch of PCs blue screening and they also have event log messages in the application event log with event id = 1

I’d like to write an anaylsis to see how big of an issue I have and am not getting good results. For some reason Big fix won’t return results for Event id =1.

Here’s an analysis that I’ve been trying:

Property

(time generated of it, description of it) of records whose (event id of it mod 65536 = 1 AND now - time generated of it < 5*day) of application event log

Relevance

name of operating system contains “XP” and exist records whose (event id of it mod 65536 = 1 AND description of it contains “NVIEW” AND now - time generated of it < 5*day) of application event log

If I switch the event id from 1 to any other number I get results, when it is set as 1 I do not get any results. I’ve also tried to just put event id =1 and get the same results.

Any suggestions on how to get around this??

Noah · February 4, 2010, 9:16pm

(imported comment written by NoahSalzman)

In taking a look at that relevance, albeit on a Vista box, I was running into a problem where event log entries that were missing a description would cause an error in the Fixlet Debugger. It’s a shot in the dark, but maybe wrap the description part with an if/then:

(time generated of it, (if exists description of it then description of it else “NA”)) of records whose (event id of it mod 65536 = 1 AND now - time generated of it < 5*day) of application event log

I also had success just using “event id of it = 1” but that is neither here nor there since the Event Log can be very squirrely in that regard.