Skip to content

Instantly share code, notes, and snippets.

@IISResetMe
Last active October 23, 2024 15:53
Show Gist options
  • Save IISResetMe/e4b9b1d8a15100d68aa9e8a48edb5aae to your computer and use it in GitHub Desktop.
Save IISResetMe/e4b9b1d8a15100d68aa9e8a48edb5aae to your computer and use it in GitHub Desktop.
Convert EventData fields from windows event log records to objects
function ConvertFrom-EventLogRecord
{
param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[System.Diagnostics.Eventing.Reader.EventLogRecord[]]
$InputEvent,
[Parameter(Mandatory=$true,Position=1)]
[ValidateNotNullOrEmpty()]
[string[]]
$Property
)
begin {
[string[]]$xPathSelectorStrings = $Property |ForEach-Object {
if($_ -like '*/*') {
$_
}
else {
'Event/EventData/Data[@Name="{0}"]' -f $_
}
}
$propertySelector = [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($xPathSelectorStrings)
}
process {
foreach($event in $InputEvent){
$propertyValues = $event.GetPropertyValues($propertySelector)
$properties = [ordered]@{}
for($i = 0; $i -lt $propertyValues.Count; $i++){
$properties[$Property[$i]-replace'^(?:.*\/)?([^\/]+)$','$1'] = $propertyValues[$i]
}
[pscustomobject]$properties
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment