window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-108815698-1');

Filter event viewer service control manager events using XML

By |2017-12-07T10:29:48+00:00May 19th, 2011|Azure, Cloud, Windows|0 Comments

Had a problem with a site in which I wanted to see if the event viewer had logged any instances of the Exchange System Attendant service stopping. Unfortunately these were buried in a long list of other services that were constantly starting and stopping under event id 7036.

What I had to was to edit the XLM query manually in “Filter Current Log…”. I then put in this query to show me every time the service had entered the running state:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[(Level=4 or Level=0) and (EventID=7036)]] and *[EventData[Data[1]=‘Microsoft Exchange System Attendant’ and Data[2]=‘running’]]</Select>
  </Query>
</QueryList>

This game me the filtered list of service events that only applied to when the Microsoft Exchange System Attendant service had entered the running state:

image

You can just copy and paste the XLM above to give you this output or simply change some of the options to custom it to look for any events for a particular service that you want to see.

If you want to get some more parameters to search then simply double click on the event ID that you want to filter, click on the details tab and select XLM view. This will give you a list of all of the details that you can search for:

image

Paul

Leave A Comment

like what you see? 

Sign-up to our newsletter and never miss out on the latest blogs, events and tech news from the world of risual
SUBSCRIBE!
Give it a try, you can unsubscribe anytime.
I consent to this website use of cookies and third party services. Accept