I’m trying to search the event log for a specific description or find text similar to the description I’m looking for.
I’ve been able to get the descriptions to list by using the QnA expression:
description of record of application event log as string contains “”
But, it seems to be sporadic in what it picks up and what it doesn’t. Sometimes I have to give the complete string, while other times I can use just a portion of it. Still other strings won’t parse at all. Any explanation why this is and how to clean up this expression would be welcome.
Even better than that would be to have it use the event id “4” and event source “WSH” to filter out the search. I thought that might speed it up a bit since the search quoted above takes T: 1886 which might be excessive.
The relevance that you posted will only look at the first event in the event log. This might explain your sporadic results. I imagine that you kept getting the error:
E: Singular expression refers to non-unique object.
Whenever you see that error, you need to make the expression “plural” (by adding ‘s’) so that it will iterate through all the records and descriptions (like this:
descriptions of records of application event log
). In order to compare results (like with the “contains”) of a plural expression, you need to use a “whose” clause.
In the end, I think you want something like this:
descriptions of records whose (event id of it = 4 AND source of it = “WSH” AND description of it contains “”) of application event log
Note that the “whose” clause comes after the “record” because you are looking at properties of the record in whose block. Also note that the “contains” clause is case sensitive.
Since you need to iterate through the whole event log no matter what, you can’t really make this expression too much faster. Best to only run it periodically.