I need to display the last line from the Event Log message in PowerShell (pretty much everything after the ":". I wasn't able to do this, so the alternative I have is to output the message and a substring. The ":" in my messages is at position 200-ish. The code below displays 56 characters after the ":"-ish.
How do I get this to display everything after the ":"?
Get-Eventlog -Logname Application -Source "HELPME" | format-table timewritten, @{l="User";e={$_.message.substring(309, 56)}} -wrap -autosize
Here's the sample Message if it helps:
The description for Event ID '1234567890' in Source 'HELPME' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event**:** 'Blah', 'Blahh', 'Blahhh'
I just need the code to show the time and the 'Blah', 'Blahh', 'Blahhh'.
This is probably simpler than you anticipated. Strings have a method called LastIndexOf() that you can use with the Substring() method. If you omit the length it should just output everything past the start position you specify, and if you use the LastIndexOf it will show where the last : is in your string. So, this:
$_.message.substring(($_.message.lastindexof(':')+1))
That will output just the part of the message past the :, which is why I have the +1 on it, otherwise it includes the colon.