Update: 22. August 2014: I have posted an updated version of the script here.
During his Group Policy: Notes from the Field – Tips, Tricks, and Troubleshooting session at TechEd Group Policy MVP Jeremy Moskowitz demonstrates how to filter the event log using the correlation ID. Now because I love using PowerShell I thought I create a function for that using Jeremy’s XMLquery.
function Get-GPEventByCorrelationID
{
<#
.Synopsis
Get Group Policy Eventlog entries by Correlation ID
.DESCRIPTION
This function retrieves Group Policy event log entries filtered by Correlation ID
.EXAMPLE
Get-GPEventByCorrelationID -CorrelationID A2A621EC-44B4-4C56-9BA3-169B88032EFD
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
7/17/2014 3:00:27 PM 5117 Information Group policy session completed successfully.
#>
[CmdletBinding()]
Param
(
# CorrelationID
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[string]$CorrelationID
)
Begin
{
$Query = '*[System/Correlation/@ActivityID="{CorrelationID}"]'
$FilterXML = $Query.Replace("CorrelationID",$CorrelationID)
}
Process
{
Get-WinEvent -FilterXml $FilterXML
}
End
{
}
}
Greetings form the sunny beaches at Sardinia.
Didn’t work for me, was bombing out with the error
Get-WinEvent : Cannot bind parameter ‘FilterXml’. Cannot convert value
“*[System/Correlation/@ActivityID='{360003F2-5989-4938-986E-6F290508F803}’]” to type “System.Xml.XmlDocument”.
So I’ve replaced the line #28 in the code above with:
$Query = “*[System/Correlation/@ActivityID='{CorrelationID}’]”
and it’s working Ok now.
I’ve checked afterwards & it’s exactly the approach you do use in your Get-GPEventByCorrelationID function.
Cheers, Michael.
Sorry, the correct line #28 is:
$Query = “*[System/Correlation/@ActivityID='{CorrelationID}’]”
$Query = ” *[System/Correlation/@ActivityID='{CorrelationID}’] ”
Ok, the comment publishing engine is removing the parts of the published code.