Event Viewer limit number of entries


  1. tcebob
    Posts : 481
    Windows 10 pro 1903 1862.145
       New #1

    Event Viewer limit number of entries


    I have a shortcut to open Event Viewer directly to System. Only need to see the most recent 100 entries. How can I limit the number?
      My Computer
    Quote Quote

  3. lx07
    Posts : 5,478
    2004
       New #2

    Would limiting it by time be OK? You could make a custom view selecting the last hour (or day), save it somewhere (right click and export) and then make a shortcut eventvwr /v:path_to_saved_XML_file

    Alternatively if you want the last 100 specifically you can get them in powershell
    Code:
    get-eventlog -logname system -newest 100
    You could then send the output to a file or whatever you wanted.
      My Computer
    Quote Quote

  4. tcebob
    Posts : 481
    Windows 10 pro 1903 1862.145
    Thread Starter
       New #3

    Splendid. Thank you.

    . . . Tried both, custom view works for me. Apparently EV does not remember the the view so I need to click it when I open EV. Can I include the view in my shortcut?
    Code:
    C:\Windows\System32\winevt\Logs\System.evtx
      My Computer
    Quote Quote

  6. lx07
    Posts : 5,478
    2004
       New #4

    That is strange - it remembers the view for me. Even if I change to another view when I close EV and re-open using shortcut it jumps back to the defined custom view.

    How did you make the shortcut?

    This is mine:

    Event Viewer limit number of entries-capture.png

    And this is the XML from exporting the custom view (I stored it in C:\Temp\SystemLastHour.xml):
    PHP Code:
    <ViewerConfig><QueryConfig><QueryParams><Simple><Channel>System</Channel><RelativeTimeInfo>1</RelativeTimeInfo><Level>1,2,3,4,0</Level><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>SystemLastHour</Name><QueryList><Query Id="0" Path="System"><Select Path="System">*[System[(Level=1  or Level=or Level=or Level=or Level=0) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig
      My Computer
    Quote Quote

  7. tcebob
    Posts : 481
    Windows 10 pro 1903 1862.145
    Thread Starter
       New #5

    OK, my saved xml is considerably longer:

    Code:
    <ViewerConfig><QueryConfig><QueryParams><Simple><Channel>file://C:\WINDOWS\System32\Winevt\Logs\System.evtx</Channel><RelativeTimeInfo>3</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name LanguageNeutralValue="24hr">24hr</Name><QueryList><Query Id="0" Path="file://C:\WINDOWS\System32\Winevt\Logs\System.evtx"><Select Path="file://C:\WINDOWS\System32\Winevt\Logs\System.evtx">*[System[TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select></Query></QueryList></QueryNode></QueryConfig><ResultsConfig><Columns><Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">116</Column><Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column><Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">166</Column><Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">76</Column><Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">76</Column><Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">80</Column><Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column><Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column><Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column><Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column><Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column><Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column><Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column><Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column><Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column><Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column><Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column><Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column><Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column><Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column></Columns></ResultsConfig></ViewerConfig>
    I note that your shortcut calls the xml while mine calls Winevt. I'll try your way . . .
      My Computer
    Quote Quote

  8. lx07
    Posts : 5,478
    2004
       New #6

    Hmmm - I didn't write the xml - just made a custom view (selecting system for last hour) and exported it with right click, export custom view.

    It is interesting yours is more complex right from the top - yours says:
    <Channel>file://C:\WINDOWS\System32\Winevt\Logs\System.evtx</Channel>
    and mine is
    <Channel>System</Channel>

    You could save the xml in my post above, make a shortcut using that and see if that works for you. There is no system specific info in it.

    I've no idea why it is generated differently let alone how to edit it manually.
      My Computer
    Quote Quote

  9. tcebob
    Posts : 481
    Windows 10 pro 1903 1862.145
    Thread Starter
       New #7

    Success. My Shortcut: C:\Windows\System32\eventvwr.exe /v:"c:\all\Bobs\Documents\EventViewer24HrView.xml"

    Thanks again.
      My Computer
    Quote Quote

  10. lx07
    Posts : 5,478
    2004
       New #8

    You are welcome - I learned something today too :)
      My Computer
    Quote Quote

 

  Related Discussions
Every morning when I switch on my PC I just get one error in Event Viewer..It is Event 2 Kernel-Event Tracing error . Under General it reads Session "CldfFltLog" failed to start with the following error: 0xC0000022 Ive been seeing this error...
Be aware that the recent Dropbox update to Ver 29.4.20 causes the DbxSvc service to flood Event Viewer with tens of thousands of information entries (ID 320). You can stop the DbxSvc service to avoid this happening but I'm not sure what the...
I upgraded from Windows 7 to 10 and like a number of uses I have had to resolve a number of permission problems. However the two warnings below have me stumped. They do not always occur but when they do, both occur together and only for the one user...
Sorry, I have searched before posting, and seen other threads about similar problems, both here and elsewhere, but they either described very specific and different situations or proposed solutions that I have already tried. In fact, I have tried...
How can I construct a .bat file to clear entries in the event viewer. Thanks
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 04:39.
Find Us




Windows 10 Forums