Event Viewer limit number of entries Solved

  1. tcebob's Avatar
    Posts : 402
    Windows 10 pro 1803/17134.285
       12 Mar 2018 #1

    Event Viewer limit number of entries

    I have a shortcut to open Event Viewer directly to System. Only need to see the most recent 100 entries. How can I limit the number?
      My ComputerSystem Spec

  2.    12 Mar 2018 #2

    Would limiting it by time be OK? You could make a custom view selecting the last hour (or day), save it somewhere (right click and export) and then make a shortcut eventvwr /v:path_to_saved_XML_file

    Alternatively if you want the last 100 specifically you can get them in powershell
    get-eventlog -logname system -newest 100
    You could then send the output to a file or whatever you wanted.
      My ComputerSystem Spec

  3. tcebob's Avatar
    Posts : 402
    Windows 10 pro 1803/17134.285
    Thread Starter
       13 Mar 2018 #3

    Splendid. Thank you.

    . . . Tried both, custom view works for me. Apparently EV does not remember the the view so I need to click it when I open EV. Can I include the view in my shortcut?
      My ComputerSystem Spec

  4.    13 Mar 2018 #4

    That is strange - it remembers the view for me. Even if I change to another view when I close EV and re-open using shortcut it jumps back to the defined custom view.

    How did you make the shortcut?

    This is mine:

    Click image for larger version. 

Name:	Capture.PNG 
Views:	18 
Size:	15.7 KB 
ID:	180730

    And this is the XML from exporting the custom view (I stored it in C:\Temp\SystemLastHour.xml):
    PHP Code:
    <ViewerConfig><QueryConfig><QueryParams><Simple><Channel>System</Channel><RelativeTimeInfo>1</RelativeTimeInfo><Level>1,2,3,4,0</Level><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>SystemLastHour</Name><QueryList><Query Id="0" Path="System"><Select Path="System">*[System[(Level=1  or Level=or Level=or Level=or Level=0) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig
      My ComputerSystem Spec

  5. tcebob's Avatar
    Posts : 402
    Windows 10 pro 1803/17134.285
    Thread Starter
       13 Mar 2018 #5

    OK, my saved xml is considerably longer:

    <ViewerConfig><QueryConfig><QueryParams><Simple><Channel>file://C:\WINDOWS\System32\Winevt\Logs\System.evtx</Channel><RelativeTimeInfo>3</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name LanguageNeutralValue="24hr">24hr</Name><QueryList><Query Id="0" Path="file://C:\WINDOWS\System32\Winevt\Logs\System.evtx"><Select Path="file://C:\WINDOWS\System32\Winevt\Logs\System.evtx">*[System[TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select></Query></QueryList></QueryNode></QueryConfig><ResultsConfig><Columns><Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">116</Column><Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column><Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">166</Column><Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">76</Column><Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">76</Column><Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">80</Column><Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column><Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column><Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column><Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column><Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column><Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column><Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column><Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column><Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column><Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column><Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column><Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column><Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column><Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column></Columns></ResultsConfig></ViewerConfig>
    I note that your shortcut calls the xml while mine calls Winevt. I'll try your way . . .
      My ComputerSystem Spec

  6.    13 Mar 2018 #6

    Hmmm - I didn't write the xml - just made a custom view (selecting system for last hour) and exported it with right click, export custom view.

    It is interesting yours is more complex right from the top - yours says:
    and mine is

    You could save the xml in my post above, make a shortcut using that and see if that works for you. There is no system specific info in it.

    I've no idea why it is generated differently let alone how to edit it manually.
      My ComputerSystem Spec

  7. tcebob's Avatar
    Posts : 402
    Windows 10 pro 1803/17134.285
    Thread Starter
       13 Mar 2018 #7

    Success. My Shortcut: C:\Windows\System32\eventvwr.exe /v:"c:\all\Bobs\Documents\EventViewer24HrView.xml"

    Thanks again.
      My ComputerSystem Spec

  8.    13 Mar 2018 #8

    You are welcome - I learned something today too :)
      My ComputerSystem Spec


Related Threads
Be aware that the recent Dropbox update to Ver 29.4.20 causes the DbxSvc service to flood Event Viewer with tens of thousands of information entries (ID 320). You can stop the DbxSvc service to avoid this happening but I'm not sure what the...
I upgraded from Windows 7 to 10 and like a number of uses I have had to resolve a number of permission problems. However the two warnings below have me stumped. They do not always occur but when they do, both occur together and only for the one user...
Sorry, I have searched before posting, and seen other threads about similar problems, both here and elsewhere, but they either described very specific and different situations or proposed solutions that I have already tried. In fact, I have tried...
Clearing event viewer entries in General Support
How can I construct a .bat file to clear entries in the event viewer. Thanks
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:42.
Find Us