i am trying to fetch the output in xml of event record id 300 under the below path
Applications and services logs/Microsoft-Windows-PrintService/Operational
when i execute the below query it fetches the data from application log path not from my path and provide me output as below.
q:xmls of records whose (event id of it = 300) of application event log as xml
A: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft Office 16 Alerts"/><EventID Qualifiers="0">300</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2023-05-30T07:12:13.2412410Z"/><EventRecordID>167</EventRecordID><Correlation/><Execution ProcessID="19204" ThreadID="0"/><Channel>Application</Channel><Computer>DESKTOP-9ATEOOF</Computer><Security/></System><EventData><Data>Compositor Type: 0</Data><Data>OfficeC2RClient</Data></EventData></Event>
A: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="ESENT"/><EventID Qualifiers="0">300</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2023-05-31T07:20:32.3201984Z"/><EventRecordID>2238</EventRecordID><Correlation/><Execution ProcessID="8092" ThreadID="0"/><Channel>Application</Channel><Computer>LP1-AP-51438698.PROD.HCLPNP.COM</Computer><Security/></System><EventData><Data>svchost</Data><Data>8092,R,98</Data><Data>DS_Token_DB: </Data></EventData></Event>
when i want to execute the query from the below relevance i do not see any output of it
q:concatenation "; " of (string values of selects "Message FROM Win32_NTLogEvent WHERE LogFile='Microsoft-Windows-PrintService/Operational' AND EventCode=300" of wmi)
A:
T: 1276.820 ms
q:(string values of selects "Message FROM Win32_NTLogEvent WHERE LogFile='Microsoft-Windows-PrintService/Operational' AND EventCode=300" of wmi)
T: 1271.267 ms
my intention is to read the complete xml output of the even id 300
I’m not sure the WMI ‘LogFile’ property works the way you expect. I just answered another question internally (on a different event log) but this should give you a start
Retrieve the “Full Name” of the log in Event Viewer by navigating to it and right-clicking for Properties
Then you can instanciate it via event log "<full name>", and do all the normal event log / event record lookups
q: exists event log "Microsoft-Windows-Diagnostics-Performance/Operational"
A: True
T: 5.774 ms
q: record count of event log "Microsoft-Windows-Diagnostics-Performance/Operational"
A: 8
T: 5.215 ms
// oldest record
q: (time generated of it, description of it) of record 1 of event log "Microsoft-Windows-Diagnostics-Performance/Operational"
A: ( Sat, 31 Dec 2022 21:14:56 -0700 ), Windows has started up: %0d%0a Boot Duration%09%09:%0921433ms%0d%0a IsDegradation%09%09:%09false%0d%0a Incident Time (UTC)%09:%092023-01-01T04:13:20.690133300Z
T: 3.607 ms
// newest record
q: (time generated of it, event id of it, source of it, category of it, description of it) of record (number of records of it) of event log "Microsoft-Windows-Diagnostics-Performance/Operational"
A: ( Mon, 15 May 2023 09:45:56 -0700 ), 200, Microsoft-Windows-Diagnostics-Performance, 4007, Windows has shutdown: %0d%0a Shutdown Duration%09:%097577ms%0d%0a IsDegradation%09%09:%09true%0d%0a Incident Time (UTC)%09:%092023-05-15T18:34:35.012848100Z
T: 2.374 ms
Do take care using the Event Log inspectors though, the Windows Event Log is notoriously slow so one should retrieve as few records as needed, as infrequently as you can. If you need real-time log monitoring or alerting, you should look into a SIEM tool.
((xmls of records whose (event id of it = 100 AND now - time generated of it < 30*day) of event log "Microsoft-Windows-Diagnostics-Performance/Operational" )) as xml
OR
(xmls of records whose (event id of it = 300 AND now - time generated of it < 30*day) of event log "Microsoft-Windows-PrintService/Operational" )) as xml
Does anyone known is there still a hard limit on how long a property will process for before gracefully aborting with no results? I seem to have recollections, and this does go back several platform versions, that if an inspection hadn’t yielded results after 10 seconds it would abort to avoid negatively impacting the agent functionality. Not sure if that was or still is the case.
