![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span> Hey, Scripting Guy! I have a problem. The search results that return from the New-AdminAuditLogSearch<\/b> cmdlet are pretty useless. Looking at all that XML in Internet Explorer is not very fun, and the Import-CliXML <\/b>Windows PowerShell cmdlet is unable to make heads or tails of the XML. I can open it in Microsoft Excel 2010, but the problem is that it seems to create 30 or 40 rows for each record that is returned by the search. Can you help me? Surely, there is an easier way to do this.<\/p>\n—MJ<\/p>\n
Microsoft Scripting Guy, Ed Wilson, is here. Before I jump into answering your question, I want to put in a plug for International PowerShell User Group Day<\/a>, which is March 19, 2012. The goal of the International PowerShell User Group Day is to have one global Windows PowerShell user group meeting. This will be a live broadcast from the Arizona PowerShell User Group in Phoenix, Arizona, and the program will include Don Jones and me. (Other speakers are still being lined up.) If you are a Windows PowerShell user group leader, you should consider moving your March meeting to March 19, so your group can dial in and participate in the meeting. I will be speaking from the Charlotte Windows PowerShell User Group<\/a> meeting in Charlotte, North Carolina, and it will be a lot of fun. If you need to see if there is a Windows PowerShell user group in your area, see the PowerShell Community Groups page<\/a>. <\/p>\n MJ, in yesterday’s blog, Use PowerShell to Audit Changes Made to Exchange Server 2010<\/a>, I talked about using the New-AdminAuditLogSearch <\/b>cmdlet to run an audit and to email a report that contains the results of the audit query.<\/p>\n Note<\/b> I have written several blogs about working with XML<\/a> from inside Windows PowerShell, and I have also had several great guest bloggers who have also addressed the topic of XML and IT Pros<\/a>. From a beginner perspective, my blog called Is There an Easier Way to Work with XML Files?<\/a> is a great place to start.<\/p>\n The XML file that generates from the New-AdminAuditLogSearch<\/b> cmdlet is a standard formatted file, and it appears in XML Notepad<\/a> as shown in the image that follows.<\/p>\n The previous image shows the properties of the first event as follows:<\/p>\n Caller<\/p>\n Cmdlet<\/p>\n Error<\/p>\n ObjectModified<\/p>\n OriginatingServer<\/p>\n RunDate<\/p>\n Succeeded<\/p>\n The two following properties contain not simple strings, but other objects. These two properties show up as additional XmlElements.<\/p>\n CmdletParameters<\/p>\n ModifiedProperties<\/p>\n One thing that is often confusing is that the Import-CliXML <\/b>cmdlet does not import just any old XML file—it imports only specially formatted XML that generates from the Export-CliXML <\/b>cmdlet. This is why, your efforts to import via Import-CliXML <\/b>did not work.<\/i><\/p>\n The easiest way to read the contents of the SearchResults.xml file is to use the Get-Content <\/b>cmdlet to read the contents of the file, and then to cast the type to a System.Xml.XmlDocument <\/i>type by using the [xml] type accelerator. This is much easier to accomplish than it sounds.<\/p>\n In the following example, the SearchResult.XML file (generated in yesterday’s blog) saved from Outlook, resides in the C:\\fso folder. I then use the [XML] type accelerator to convert the text, derived via the Get-Content <\/b>cmdlet into an XmlDocument.<\/i><\/p>\n [xml]$xml = Get-Content C:\\fso\\SearchResult.xml<\/p>\n When I view the contents of the $xml variable, the searchresults <\/i>XmlElement <\/i>appears as illustrated here.<\/p>\n PS C:\\> $xml<\/p>\n <\/p>\n xml SearchResults<\/p>\n — ————-<\/p>\n version=”1.0″ encoding=”utf-8″ SearchResults<\/p>\n To view the objects that are stored in the SearchResults <\/i>XmlElement, use dotted notation to access the SearchResults<\/b> <\/i>property. This technique is shown here.<\/p>\n PS C:\\> $xml.SearchResults<\/p>\n <\/p>\n Event<\/p>\n —–<\/p>\n {Event, Event, Event}<\/p>\n In this example, the SearchResults <\/i>XmlElement contains three objects, each named Event. <\/i>To view the objects, use dotted notation to access the Event<\/b> property as shown here.<\/p>\n $xml.SearchResults.Event<\/p>\n As shown in the image that follows, the Event<\/b> property contains the audit information that an Exchange administrator seeks.<\/p>\n I can now use standard Windows PowerShell techniques to analyze the data. For example, if I am only interested in the caller and cmdlet that were run during the period of the report, I can use the Select-Object <\/b>cmdlet as shown here.<\/p>\n PS C:\\> $xml.SearchResults.Event | select caller, cmdlet<\/p>\n <\/p>\n Caller Cmdlet<\/p>\n —— ——<\/p>\n iammred.net\/Users\/Administrator Enable-Mailbox<\/p>\n iammred.net\/Users\/Administrator Enable-Mailbox<\/p>\n iammred.net\/Users\/Administrator Enable-Mailbox<\/p>\n I can output to a table by using the Format-Table <\/b>cmdlet. The following command selects the RunDate<\/b>, <\/i>Caller<\/b> <\/i>and Cmdlet<\/b> <\/i>and outputs to an automatically sized table.<\/p>\n PS C:\\> $xml.SearchResults.Event | Format-Table rundate, caller, cmdlet -AutoSize<\/p>\n <\/p>\n RunDate Caller Cmdlet<\/p>\n ——- —— ——<\/p>\n 2012-01-17T18:04:16-05:00 iammred.net\/Users\/Administrator Enable-Mailbox<\/p>\n 2012-01-17T18:04:09-05:00 iammred.net\/Users\/Administrator Enable-Mailbox<\/p>\n 2012-01-17T18:03:53-05:00 iammred.net\/Users\/Administrator Enable-Mailbox<\/p>\n The results, stored in the $xml<\/b> variable are addressable via array index notation. To view the RunDate<\/b> of the first event, use the [0] notation to retrieve the first element. This technique is shown here.<\/p>\n PS C:\\> $xml.SearchResults.Event[0].rundate<\/p>\n 2012-01-17T18:04:16-05:00<\/p>\n One really cool way to parse the data is to select the appropriate properties and pipe the results to the Out-GridView <\/b>cmdlet. It is necessary to use the Select-Object <\/b>cmdlet to choose the properties because the Out-GridView <\/b>does not accept a complex object. Therefore, a direct pipeline fails. This technique is shwon here.<\/p>\n $xml.SearchResults.Event | select caller, rundate, cmdlet | Out-GridView<\/p>\n The resulting Grid is shown in the image that follows.<\/p>\n MJ, that is all there is to using Windows PowerShell to parse the XML search results from Exchange Server. Exchange Server Week will continue tomorrow when Microsoft PFE, Norman Drews, talks about using Windows PowerShell to fix annoying NDR mails.<\/p>\n I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell to parse XML-formatted Microsoft Exchange Server 2010 audit reports. Hey, Scripting Guy! I have a problem. The search results that return from the New-AdminAuditLogSearch cmdlet are pretty useless. Looking at all that XML in Internet Explorer is not very fun, and the Import-CliXML […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[28,180,3,4,45,165],"class_list":["post-11361","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-messaging-and-communication","tag-microsoft-exchange-2010","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-xml"],"acf":[],"blog_post_summary":" Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell to parse XML-formatted Microsoft Exchange Server 2010 audit reports. Hey, Scripting Guy! I have a problem. The search results that return from the New-AdminAuditLogSearch cmdlet are pretty useless. Looking at all that XML in Internet Explorer is not very fun, and the Import-CliXML […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/11361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=11361"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/11361\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=11361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=11361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=11361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>Hello MJ,<\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/1325.HSG-1-26-12-01.jpg\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/7382.HSG-1-26-12-02.jpg\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/2656.HSG-1-26-12-03.jpg\" "\\"Image")
<\/a><\/p>\n