1

I have googled lots of possible answers with no luck. I am trying to extract the following from the Event Log (pseudo-code):

select events
where
    event date/time between FromDateTime and ToDateTime
and
   ((Level<=2)  //  error, critical only
    or 
    ((Level<=x) and Provider[Name] in a specific list)  // any messages for these apps
   )

(The second "Level" expression is to allow the user to specify whether to include Informational messages or limit to Warnings and above, so I can't just discard it.)

The following is the (latest) expression I am trying to use - unsucessfully.

    string queryString = 
"*[System[TimeCreated[@SystemTime>='" + dFrom + "' and @SystemTime<='" + dTo + "']]] " +
" and " +
"(*[System[Level<=2]]" +
" or " +
" ( " + 
" *[System[Provider[@Name='<1st name>' or @Name='<2nd name>' or @Name='<3rd name>]] " + 
" and " +
"System[Level<=" + maxLevel.ToString() + "]]" +
")" +
");"

Am I trying to make an expression that is too hard for the Event Log query evaluator, or do I just have a simple error in the expression? I have been trying various forms of the expression. It appears that the "Level" filters are just being ignored, but why?

Kim Crosser
  • 413
  • 8
  • 13
  • Is the combination of google and trial+error really the best approach to learning a language? Have you tried the alternative of getting a book that takes you through the language from first concepts to detailed exposition of each construct? – Michael Kay Jul 30 '18 at 09:07
  • Michael Kay - if I intended to do a lot of additional work with Event Logs, I could see trying to find an actual book on Event Log analysis through XPath (if one exists). This is a one-time "simple" utility to let me quickly scan across multiple servers to find out on which server(s) errors and/or warnings occurred relative to specific apps. My C# app works fine - I just get unexpected results from the XPath query and am trying to find out why an apparently simple expression fails. – Kim Crosser Jul 30 '18 at 20:02
  • You're not alone. Writing code in a language you don't understand and then asking on StackOverflow when it doesn't work seems to be the modern way of programming. – Michael Kay Jul 30 '18 at 20:45
  • I have been programming in multiple languages for 48 years. When I started with C#, I went through several of the Microsoft Academy courses and would never expect people to tell me how to code in a new language. In this case, my original XPath code "worked" (compiled and ran), but the fact that Microsoft doesn't use their own enumerations was what tripped me up. Plus, there were no documents I could find on Microsoft or elsewhere that showed complex Event Log queries (combos of and/or expressions). This question seems reasonable for StackOverflow. – Kim Crosser Jul 30 '18 at 21:53

2 Answers2

2

*** ARRGGHH!! - I think I found it. The Event Log Level enumeration is:

1 - Critical alert
2 - Error
3 - Warning
4 - Informational
5 - Logs at all levels
  ... and ...
0 - Undefined - indicates logs at all levels

It turns out that some of the "Information" log entries from Microsoft components use Level 0 instead of 4, so these are being picked up by the filter. My assumption that log entries (especially Microsoft's) would use the appropriate Level was false.

I will need to explicitly look for (Level=1 or Level=2) - Level <= 2 will pick up various Microsoft "Information" log entries.

For anyone interested - the final working query is:

*[System[TimeCreated[@SystemTime>='2018-07-30T17:22:30.000Z' 
    and @SystemTime<='2018-07-30T20:22:30.000Z']  
and (Level=1 or Level=2 or
  (Provider[@Name='Application Error' or @Name='Application Hang']
  and (Level=1 or Level=2 or Level=3 or Level=4)))]]
Kim Crosser
  • 413
  • 8
  • 13
0

There are two issues that I can see in the code that you had posted.

  • the single quote is not closed on the 3rd name: @Name='<3rd name>]] should be @Name='<3rd name>']]
  • the second filter for */System/Level should be *[System[Level<=" + maxLevel.ToString() + "]]] "

From your pseudo code and what you have shared, it looks like you could consolidate and move some of your logic inside of the predicate filter for */System and use an XPath such as:

string queryString = 
"*[System[TimeCreated[@SystemTime>='" + dFrom + "' and @SystemTime<='" + dTo + "']" +
"  and (Level<=2 or " +
"    (Provider[@Name='<1st name>' or @Name='<2nd name>' or @Name='<3rd name>'] " + 
"     and Level<=" + maxLevel.ToString() + "))" + 
"]];"
Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
  • 1
    Your answer was a simpler expression and did help in tracking down the problem. Thank you. FYI - The missing characters were typos - I was transcribing from a remote desktop session that didn't permit copy/paste. – Kim Crosser Jul 30 '18 at 21:58