Apply Filters
Learn how you can query for events from a channel or a log file.
The channel or log file can exist on the local computer or in a remote computer. To specify the
events that you want to get from the channel or log file, you can use an XPath query or a
structured XML query. Windows Event Log supports a subset of XPath 1.0. The following example
shows simple XPath
expressions:
// The following query selects all events from the channel or log file
XPath Query: *
// The following query selects all the LowOnMemory events from the channel or log file
XPath Query: *[UserData/LowOnMemory]
// The following query selects all events with a severity level of 1 (Critical) from the channel or log file
XPath Query: *[System/Level=1]
// The following query shows a compound expression that selects all events from the channel or log file
// where the printer's name is MyPrinter and severity level is 1.
XPath Query: *[UserData/*/PrinterName="MyPrinter" and System/Level=1]
// The following query selects all events from the channel or log file where the severity level is
// less than or equal to 3 and the event occurred in the last 24 hour period.
XPath Query: *[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]You can use the XPath expressions directly when calling the EvtQuery
or EvtSubscribe function or you can use a structured XML query that contains the
XPath expression. You can use an XPath expression in simple queries that query events from a
single source. If the XPath expression is a compound expression that contains more than 20
expressions or you are querying for events from multiple sources, then you must use a structured
XML query.
For more information on how to query events and which API to use, see https://docs.microsoft.com/en-gb/windows/win32/wes/querying-for-events.
