How can i filter Windows Events retrieve with an XPATH where a certain value is a substring of the value?

Question

Windows Events have an ability to filter by XPATH (which is a fast search). I have sucessfully using the PowerSHell Cmdlet Get-WinEvent filtered where a specific value is a specific value as shown below

$qry = "*[(EventData/Data[@Name='TaskName'] ='\Microsoft\Windows\Diagnosis\Scheduled') ]"                                   
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational -FilterXPath         $qry -ErrorAction SilentlyContinue  -MaxEvents 3

However i don't really want to filter by a specfic task name but a substring of it, a start-with of contains or something.. for instance in the above scenario i want to do "startswith" \Microsoft\Windows\Diagnosis . However all the different techniques i've tried, that seem like standard XPATH 1.0 syntax such as

$qry = "*[starts-with(EventData/Data[@Name='TaskName'] ,'\Microsoft\Windows\Diagnosis') ]"

give an error Get-WinEvent : The specified query is invalid

This is not XPath -- sorry. Any true XPath answer will likely produce an error in your case. Notice that you are using the ` character, but in XPath the /` character must be used instead. — Dimitre Novatchev

Andy Arismendi Andy Arismendi · Accepted Answer · 2012-04-20T21:58:06

Try the contains function:

$x = [xml] '<root><books><book title="Foo" /></books></root>'
$x.SelectSingleNode('//book[contains(@title, oo)]')

Reference for xpath string functions: http://msdn.microsoft.com/en-us/library/ms256180.aspx

Your's may look like:

"*[EventData[contains(Data,'\Microsoft\Windows\Diagnosis\Scheduled')]]"

How can i filter Windows Events retrieve with an XPATH where a certain value is a substring of the value?

1 Answers