Using XPath starts-with or contains functions to search Windows event logs

xml windows powershell xpath event-log
Keith Walton picture Keith Walton · Dec 29, 2011 · Viewed 23.5k times · Source

By editing the XML filter query manually in Windows event viewer, I can find events where the data matches a string exactly:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[EventData[Data and (Data="Session end: imzcjflrrsq1sfdk3okc4jpf")]]</Select>
  </Query>
</QueryList>

Now, I want to do a partial match:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[EventData[Data and (Data[starts-with(.,"Session")])]]</Select>
  </Query>
</QueryList>

Event log gives me the error:

The specified query is invalid

Do I have the syntax wrong?

Answer

Kirill Polishchuk picture Kirill Polishchuk · Dec 29, 2011

Windows Event Log supports a subset of XPath 1.0. It contains only 3 functions: position, Band, timediff.

Reference: https://docs.microsoft.com/en-us/windows/desktop/WES/consuming-events#xpath-10-limitations

Related questions

Text editor to open big (giant, huge, large) text files

I mean 100+ MB big; such text files can push the envelope of editors. I need to look through a large XML file, but cannot if the editor is buggy. Any suggestions?

Read More
XML RPC GUI for developers in Windows?

Is there something like this for Windows? If not, what is the easiest/quickest way to test an XML RPC?

Read More
How to associate a Windows application with a particular file type but share that association with other applications?

If I create a new app, and associate with, say, the .xml file extension on a particular computer, when someone double clicks the .xml file, it will launch my app and pass the file as parameter. But Windows seems to …

Read More