Login/Register
Please explain this Powershell output for get-eventlog - default output formatting
Asked Answered
powershellformatting
F

2

3
get-eventlog -list

yields this:

 Max(K) Retain OverflowAction        Entries Log                                                                      
 ------ ------ --------------        ------- ---                                                                      
 20,480      0 OverwriteAsNeeded      14,418 Application                                                              
 20,480      0 OverwriteAsNeeded           0 HardwareEvents                                                           
    512      7 OverwriteOlder              0 Internet Explorer                                                        
 20,480      0 OverwriteAsNeeded           8 Key Management Service                                                   
    128      0 OverwriteAsNeeded          36 OAlerts                                                                  
                                          Security                                                                 
 20,480      0 OverwriteAsNeeded       8,771 System                                                                   
    512      7 OverwriteOlder              0 Windows Azure                                                            
 15,360      0 OverwriteAsNeeded          53 Windows PowerShell

and...

get-eventlog -list | get-member

results in this (truncated for brevity):

TypeName: System.Diagnostics.EventLog

Name                      MemberType Definition                                                                        
----                      ---------- ----------                                                                        
Disposed                  Event      System.EventHandler       
Disposed(System.Object, System.EventArgs)                     
EntryWritten              Event      
System.Diagnostics.EntryWrittenEventHandler EntryWritten(System.Object, System....
BeginInit                 Method     void BeginInit(), void 
ISupportInitialize.BeginInit()                             
Clear                     Method     void Clear()                                                                      
Close                     Method     void Close()                                                                      
CreateObjRef              Method     System.Runtime.Remoting.ObjRef 
CreateObjRef(type requestedType)

My question is: Why does get-eventlog -list produce the first set and why when this is piped into get-member yields the second? The two results do not seem related? And...where is this information stored? I mean, how could I find this out myself?

Thanks.

Fontes answered 10/8, 2018 at 21:17 Comment(1)
It's in the types ps1xml module file which controls how information is displayed to the console.Mettlesome
S
3

On top of what the TheIncorrigible1 already gave you.

As for this...

My question is: Why does get-eventlog -list produce the first set and why when this is piped into get-member yields the second? The two results do not seem related

Because this first one, you are explicitly asking for a listing of the physical logs on the system. This is of course what you can work on.

The second is you are asking for all methods and properties of the cmdlet. This is what you use to take actions on those logs. Get-Member allows us to get information about the objects that a cmdlets returns.

Fully documents on the help files and online.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-member?view=powershell-6

These are not the same thing, Hence the different output.

Shroud answered 11/8, 2018 at 3:22 Comment(0)
S
3

PowerShell has its own for-display output-formatting system as described in Formatting File Overview and Get-Help about_Format.ps1xml

It is based on associating formatting rules with .NET types, classified by view types:
table, list, wide, custom.
Default rules apply to types without associated formatting data.

  • With implicit output to the console, the default view type as defined in the formatting data is used; in its absence, an object with up to 4 properties results in tabular display (implicit Format-Table), beyond that, per-object multiline list display is used (implicit Format-List).

  • Alternatively, you can use the Format-* cmdlets to produce a specific output format: Format-Table (table view), Format-List (list view), Format-Wide (wide, single-property, multi-column view), Format-Custom (a view that generically shows an object's internal structure in a JSON-like format).

To inspect the formatting rules associated with a given type, use Get-FormatData.

In the case at hand, Get-EventLog outputs objects of type [System.Diagnostics.EventLog], so to inspect their formatting data, use:

Get-FormatData System.Diagnostics.EventLog | Format-Custom -Depth 10

Making sense of the output is nontrivial, but all the formatting information is there.

Location of the formatting information:

  • In Windows PowerShell, formatting information that ships with PowerShell can be found in *.Format.ps1xml files in the directory subtree of $PSHOME. To list them all, run:

    Get-ChildItem $PSHOME -Filter *.Format.ps1xml -Recurse

  • In PowerShell (Core) v6+, the formatting information that ships with PowerShell is compiled into the executable (pwsh).

  • Third-party modules may contain their own *.Format.ps1xml files to define formatting for the types they output, module-internally referenced via the FormatsToProcess entry in the module's manifest (*.psd1).

Scabies answered 12/8, 2018 at 4:46 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.