If you have to find information in unstructured log files, PowerShell offers a variety of cmdlets that can help you parse text files to extract the information you need.

Luc Fullenwarth

Luc is working as a system administrator since 1999 at Alcatel-Lucent, at HP, and currently for an European institution. He focuses on Active Directory, Group Policy, security and PowerShell.

In my last article, I showed you how to search the Windows Event Log with Get-WinEvent. That's where you usually spot most of the pertinent messages. However, sometimes you also need to reference log files in textual format. For example, this is the case for the Windows Update log or the Firewall log.

Displaying the content of a log file ^

The Get-Content cmdlet can be useful in many situations, such as when displaying text or log files.

For instance, the following command line displays the whole content of the httperr1.log file.

Displaying long log files ^

Some log files are very long, and if you want to display them one page at a time, just pipe the content to the Out-Host cmdlet along with the -Paging parameter.

Please note that this option is not available in the Integrated Scripting Environment (ISE) console.

For example, the following command displays the Windows Server Update Services (WSUS) SoftwareDistribution log one page at a time.

Get Content with paging output

Get Content with paging output

Displaying only the end of a log file ^

However, usually the last lines are the most relevant ones because they contain either the global success messages or fatal errors. Thus, it's sometimes useful to view only the final lines of log files.

For instance, the following command displays the last 50 lines of the Deployment Image Servicing and Management (DISM) log file.

Because some services write continuously to a log file, you may want to display new lines as soon as they appear. That's exactly the purpose of the -Wait parameter.

In this case, Get-Content continues to wait for new lines and displays them on the fly until you hit Ctrl+C.

Please note that Get-Content still continues to wait for new lines even when the process or service writing to the file has already stopped.

In the next example, the command line displays the last five lines of the WindowsUpdate.log and waits for additional lines to display.

Get Content and wait

Get Content and wait

There's a blinking underscore on that last screen. This means the cmdlet is waiting for new lines to display.

Displaying only specific lines ^

In some cases, you may want to display only lines containing specific words.

If you want to search for packets the firewall has dropped, you can use the command below. This searches all lines from the firewall log containing the word "Drop" and displays only the last 20 lines.

Fortunately, the -Pattern parameter accepts arrays as input, and you can provide several patterns to search. All patterns are processed with the logical OR operator.

For instance, the following command displays lines containing the word "error" or the word "warning" from the Windows Update agent log file.

Displaying only specific lines inside their context ^

Sometimes you may also want to know in which context the pattern appears.

For this purpose, Select-String has another interesting parameter named -Context, which shows you the lines before and after the string matching the pattern.

The following command searches for lines with the word "err" preceded and followed by a space. It also displays the three lines before and after every match from the cluster log file.

Searching with Select String

Searching with Select String

The last screenshot shows that the line containing the pattern starts with a greater than symbol. But you can also see that the Select-String cmdlet displays the line number of the log file for each hit.

Thus, if you spotted a specific line in the midst of log file, you can display only the context for this specific line by using the Get-Content cmdlet and piping the result to the Select-Object cmdlet associated with the First and Skip parameters.

For instance, the following command line displays lines 45 to 75 from the netlogon.log file.

Opening a remote file ^

With all of that, if you still want to open the log file in a GUI, you can run PSEdit in a PSSession. This command directly opens the file without the need to download it locally first.

Please note that PSEdit is only available in the ISE console.

For example, the following command line downloads and opens the log file of the default IIS website.

Win the monthly 4sysops member prize for IT pros


Related Posts

  1. Gtech 4 months ago

    how do I get remote server process list (single liner not script) and to kill the specific process.What I have gone through that try the invoke command which is I am not getting why so. Can you advise with right cmdlt.Thankx


    • Author
      Luc Fullenwarth 4 months ago


      This is out of scope of the current post, but what you are searching is:


  2. tmack 4 months ago

    Thanks for this article.

    FYI, PSEdit works with the integrated terminal in VS Code; assuming you have the PowerShell extension installed.


    • tmack 4 months ago

      Ugh. Only works for local files not in a PSSession.


  3. Pat 4 months ago

    When describing Context, you mention "displays the five lines before and after every match".  Don't you mean 3 lines?  "-Context 3" ?

    Or am I misunderstanding the purpose of the 3?

    Great article, thanks!


    Users who have LIKED this comment:

    • avatar
  4. tmack 4 months ago

    I did not try ISE as I use VS Code exclusively. You say it works so I'll take your word for it. I was just posting so others would know this does not work with VS Code.


    Users who have LIKED this comment:

    • avatar
    • Author
      Luc Fullenwarth 4 months ago

      The post has been updated about PSEdit and also the 3 lines instead of 5.


  5. tmack 4 months ago

    Likely pared the example down to 3 lines from 5 in order to fit the screenshot and forgot to go back and edit the text of the article.


    Users who have LIKED this comment:

    • avatar

Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017

Log in with your credentials


Forgot your details?

Create Account