CODEWITHSUNDEEP
powershell
ISJ-393
ISJ-393

Reputation: 43

Extract a single word from a text block

I'm looking to use powershell to recover a hostname from a text block. The block goes as follows:

The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  svc.sXXX.d.fdb
Source Workstation: DIXXXEF01
Error Code: 0x0

As you can see its a multi-line text block. Currently I'm trying to cut down on the fluff of some 5 gigs of security logs. I was hoping to use a powershell regrex command or something similar to recover just the Logon Account and Source Workstation.

Any ideas? Thanks.

ISJ

Upvotes: 0

Views: 1400

Answers (2)

mjolinor
mjolinor

Reputation: 68273

Using Get-Content with -ReadCount and -match and borrowing Bill's regex):

Get-Content $file -ReadCount 1000 |
 foreach { $_ -match '^Logon Account|^Source workstation' } |
 Add-Content $newfile

You can tune that by changing the -ReadCount parameter. Typically counts of 1000-5000 produce the best results.

You can also use Select-String, but it returns MatchInfo objects which contain a lot of other data you don't need for this application. It's great if you do need it, but it takes about 4x as long to apply the same regex with Select-String as it does with -match, and if all you needed out of it is the strings, Select-String is overkill. (IMHO)

Upvotes: 1

Bill_Stewart
Bill_Stewart

Reputation: 24565

Get-Content and Select-String:

get-content logfile.txt | select-string '^Logon Account|^Source workstation'

The ^ character means 'start of line'. See the PowerShell help topic about_Regular_Expressions for more information.

Upvotes: 0

Related Questions