Thursday, January 14, 2021

Event Viewer XML Filtering by Source

There are situations where you wanted to exclude certain sources (event providers) when analyzing Windows Event Logs. For example, in figure 1 below, say you wanted to exclude events from Lib_SLP and still see the rest, how would you do that?

 

 

Figure 1. Source is Lib_SLP

 

First, head over to Details tab, XML View. Observe the XML structure - we are interested to the System | Provider elements. 

Figure 2. XML VIew

 

To filter out that provider, click on Filter Current Log.. and type the following:


Figure 3. XML Filter View



<QueryList>

  <Query Id="0" Path="Application">

    <Select Path="Application">

        *[System[Provider[@Name!="Lib_SLP"]]]

    </Select>

  </Query>

</QueryList>


REF: T:001



By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

SBCL Hello world

SBCL Hello, world! Version info: - OS: Windows 11 23H2 (Microsoft Windows [Version 10.0.22631.7079]) - Emacs: 30.2 - SBCL : 2.6.4 - SLI...