LIKE in EventLog Message column
Last post Mar 24, 2004 08:15 AM by Anonymous
Mar 23, 2004 02:53 PM|Anonymous|LINK
I am trying to perform the following query:
TO_STRING(TO_LOCALTIME(TimeGenerated), 'MM/dd/yyyy') AS HitDate,
COUNT(*) AS Hits
WHERE (Message LIKE '%10061%')
GROUP BY HitDate
ORDER BY HitDate
The query returns 0 records. I had another query that used "WHERE SourceName = 'COM+'" and that worked fine. Is there an issue with using LIKE on the Message field? Are there limitations that I'm not aware of?
EVT input format
Mar 24, 2004 08:15 AM|Anonymous|LINK
Well, this is a well-written query, I can't see why it shouldn't work...
Just a couple of possibilities:
- Are you executing the command in a batch file? If so, the cmd shell will replace %10061% with the value of the environment variables (most likely an empty string); to workaround this, I think you should type '%%10061%%' or '^%10061^%'
- Are you 100% sure that there are messages containing '10061' ?
P.S.: a FYI regarding your ORDER BY: your HitDate is a STRING now, so the ordering happens lexicographically, i.e. 01/02/2004 comes BEFORE 02/01/1999...is this really what you want?
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at