Selecting specific lines/data from Get-Winevent message in powershell

Question

I am trying to extract a specific line from the message output of a get-winevent cmdlet and haven't been able to find a way to do this (I could be searching incorrectly but am still learning more advanced scripting methods). What I am running is this:

Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='9007199254740992';Data=$userid} -MaxEvents 1 | Select Message | Format-List

Which will return with a message similiar to this (Changed some info to generic info):

Message : The computer attempted to validate the credentials for an account.
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    jdoe
Source Workstation:    Generic-Computername
Error Code:    0x0

I am attempting to create an easy way to find a computer someone last logged into for faster troubleshooting but I am unable to filter out only the Source Workstation line, I could just not have the correct syntax for a good search to find the results I am looking for but I have been searching for about a week now and haven't found anything close to what I am looking for, any help would be great!

Answer 1

Im not sure what information you want to retrieve but im pretty sure there is a better way then using Get-WinEvent to obtain that information. However, if you just want to get the value of Source Workstation you can do that with a regex:

$event = Get-WinEvent `
    -ComputerName $DC `
    -FilterHashtable @{Logname='Security';Keywords='9007199254740992';Data=$userid} `
    -MaxEvents 1 `
    | Select -expand Message 

[regex]::Match($event, 'Source Workstation:\s*(.*)\s*').Groups[1].Value