Forum Discussion
parsing data from output
I have an script which pull the fallowing Windows log, "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational". from few servers.
PS script:
Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message
I'm getting the following results:
User: ANY\User1
Session ID: 6
Source Network Address: 192.168.1.1
Remote Desktop Services: Session logon succeeded:
User: ANY\User2
Session ID: 7
Source Network Address: 192.168.1.2
Remote Desktop Services: Session logon succeeded:
User: ANY\User3
Session ID: 8
Source Network Address: 192.168.1.3
Remote Desktop Services: Session logon succeeded:
....
I would like to see how I can parse all the results in Columns:
Users Session ID SourceNet RDS
ANY\User1 6 192.168.1.1 Session logon succeeded
ANY\User2 7 192.168.1.2 Session logon succeeded
ANY\User3 8 192.168.1.3 Session logon succeeded
Any help is appreciated.
Thanks.
$Fullresult=@() $allevents=Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message foreach ($singleevent in $allevents){ $Result=New-Object PSObject $Result | Add-Member -NotePropertyName "User" -NotePropertyValue ($singleevent.split("`n")[2].substring(6)) $Result | Add-Member -NotePropertyName "SessionID " -NotePropertyValue ($singleevent.split("`n")[3].substring(12)) $Result | Add-Member -NotePropertyName "SourceNet" -NotePropertyValue ($singleevent.split("`n")[4].substring(24)) $Result | Add-Member -NotePropertyName "RDS" -NotePropertyValue ($singleevent.split("`n")[0].substring(25)) $Fullresult+=$Result } $Result | ft -AutoSizeUse this script, This script will store the result in a new PSObject.
I use the Split method to split and be able to read the lines like this, the `n refer to a new line.
Hope this help
----------------------------------------------
If this answers your question, please click on Best Response and give Like 🙂
3 Replies
$Fullresult=@() $allevents=Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message foreach ($singleevent in $allevents){ $Result=New-Object PSObject $Result | Add-Member -NotePropertyName "User" -NotePropertyValue ($singleevent.split("`n")[2].substring(6)) $Result | Add-Member -NotePropertyName "SessionID " -NotePropertyValue ($singleevent.split("`n")[3].substring(12)) $Result | Add-Member -NotePropertyName "SourceNet" -NotePropertyValue ($singleevent.split("`n")[4].substring(24)) $Result | Add-Member -NotePropertyName "RDS" -NotePropertyValue ($singleevent.split("`n")[0].substring(25)) $Fullresult+=$Result } $Result | ft -AutoSizeUse this script, This script will store the result in a new PSObject.
I use the Split method to split and be able to read the lines like this, the `n refer to a new line.
Hope this help
----------------------------------------------
If this answers your question, please click on Best Response and give Like 🙂
- Thanks so much, it work like a charm.
Thanks.
Use this
$Fullresult=@() $allevents=Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message foreach ($singleevent in $allevents){ $Result=New-Object PSObject $Result | Add-Member -NotePropertyName "User" -NotePropertyValue ($singleevent.split("`n")[2].substring(6)) $Result | Add-Member -NotePropertyName "SessionID " -NotePropertyValue ($singleevent.split("`n")[3].substring(12)) $Result | Add-Member -NotePropertyName "SourceNet" -NotePropertyValue ($singleevent.split("`n")[4].substring(24)) $Result | Add-Member -NotePropertyName "RDS" -NotePropertyValue ($singleevent.split("`n")[0].substring(25)) $Fullresult+=$Result } $Fullresult | ft -AutoSize -WrapThe Message value seems to be a string and what I did is splitting the string in to array by using the `n newline and then add them to a PSCustome Object which hold the value
---------------------------------
If this answers your question, please Click on Best Response and give a like 🙂
