Microsoft brings you Get-WinEvent as a standard to work with Windows Event Log since some time now. There are other methods but Microsoft really wants you to use this one as it supports all the bells and whistles provided by Microsoft. And for the most part it does it's just pretty good. You can query things just the way you want. But let's work on the example. Lets assume we want to check when the last few patches were installed on AD1 machine, and that you want to get it from Event Logs.
You had to write simple query for Setup Event Log and look for Event ID number 2. Finally using Format-List * gives us all information about the events.
In example above we first checked all data for the Event, and then subsequently verified the information we need, and just queried for exact results we needed. While the results provide us a nice way to get what we needed…. there is one problem. The Message field contains a lot of additional information we don't need. What if we're interested in particular Windows Update and not all updates installed?
We would now need to get the Message, parse it, split it in multiple chunks and output information. This means a lot of additional work that is subject to break. Of course you could always use Like and search for particular information just like below.
Get-WinEvent -FilterHashtable @{ LogName = 'Setup'; Id = 2 } -ComputerName 'AD1' -MaxEvents 10 | Where-Object { $_.Message -like '*KB4103723*' } | Format-List Message, TimeCreated, MachineName
But this is a simple Event. There are far complicated events that may not be easy to parse like that. What if there is a simpler way?