This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 47%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello,
is there a way to filter the event logs so that I get only the entries back which have a defined word in the detailed description.
Example: I would like to see a list in which I only get the data records in which the word "shutdown" is in the detailed description.
Greetings
Hi,
You could use advanced XML filtering as mentioned here:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761
(If the reply was helpful please don't forget to accept as answer, thank you)
Best regards,
Leon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 50%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJY%3C/text%3E%3C/svg%3E)
Hi,
You could filter event log by description via structured XML queries.
Here are the link of official guidance explaining how it works and an example from third party for your reference.
Advanced XML filtering in the Windows Event Viewer
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761
Filter Windows Event Viewer by details
https://www.daniweb.com/hardware-and-software/microsoft-windows/threads/485296/filter-windows-event-viewer-by-details
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Thanks,
Jenny
Hi,
Is there any update? Have you got a chance to verify above suggestions?
Please feel free to let us know if more assistance needed.
Thanks,
Jenny
Hello,
thanks to all for you answers - and sorry for my late answer.
The XML-Filter is very powerful but very hard to create. Does anyone know whether there is an assistant for this?
Thanks
Hi,
To customize the xml filter, you need to first navigate to the path of logs and check the keywords in the xml view.
Let's take a random event ID 168 as example.
1.The whole sentence in general tab is: The resolution requested by the client: Monitor 0: (1716, 993), origin: (0, 0). Server: WIN10.
2.However, after changing to xml viewer, we found the information listed under event data only contains some keywords.
3.Then the keywords to be filtered are restricted to below screenshot. I picked up 993, created custom view and added it to below query (path shall be the default info where to filter logs)
<QueryList>
<Query Id="0" Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational">
<Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operationa ">* [EventData [Data='993']]</Select>
</Query>
</QueryList>
After clicking OK, I got the list of logs contains 993 under path "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational".
-----Please "Accept as answer" if the reply is helpful-----
Best regards,
Jenny
Hello,
Hope you all well. I am checking to see how things are going there on this post.
You can click “Accept as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.
Thanks,
Jenny