By editing the XML filter query manually in Windows event viewer, I can find events where the data matches a string exactly:
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[EventData[Data and (Data="Session end: imzcjflrrsq1sfdk3okc4jpf")]]</Select>
</Query>
</QueryList>
Now, I want to do a partial match:
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[EventData[Data and (Data[starts-with(.,"Session")])]]</Select>
</Query>
</QueryList>
Event log gives me the error:
The specified query is invalid
Do I have the syntax wrong?
Windows Event Log supports a subset of XPath 1.0. It has only three functions: position, Band, timediff.
Reference: https://learn.microsoft.com/en-us/windows/desktop/WES/consuming-events#xpath-10-limitations