Event Log Viewer‘s Advanced Filtering allows you to filter the events based on their
- Level (Information, Warning, Error, etc)
- Event ID (Include and Exclude both separated to avoid common mistakes and confusion)
- DateTime of the Event
- Provider
- Category
- Description (Which is not available in the native Windows Event Viewer Application)
Filtering Event logs based on the Levels
You can filter based on the level of the event. Generally, these are Information, Warning, Error, Critical. However, there are 2 hidden levels as well which are not seen in Windows Event Viewer. These are: Verbose and LogAlways. Event Log Viewer allows you to filter based on these as well.
Filtering Event logs based on the Event ID’s
You can either Include specific events or exclude them based on their ID’s. Include and Exclude filter takes in a comma separated list of Event ID’s.
Filtering Event logs based on Event Log DateTime
You can filter the event logs based on the time at which they were logged. Event Log Viewer presents you with the predefined filters such as Last Hour, Last 6 Hours, Last 12 Hours, Last 24 Hours, Last 7 Days, Last 30 Day. This is to make it easy to filter the events based on the most commonly used time filters. You can also select the custom time to filter the events. The time filter works based on the time correction settings you have applied.
Filtering Event logs based on the Provider and Category
Each event has an Event Provider and Event Category. Sometimes, it is necessary to focus only on a specific Event Provider or Category. Windows Event Viewer has a limited support for this feature. Event Log Viewer while loading the events from the selected source, parses the Providers and Categories found in the source. It then allows you to filter the events based on those. Normally, Windows Event Viewer will show you the Provider and Categories for all the event sources available in the Event Viewer application. Event Log Viewer keeps it separate for each loaded source.
Filtering Event logs based on the Description
There might be a need for you to see the events only containing or not-containing a specific string or phrase. It allows you to search for the string which “starts with”, “ends with” and “equals” filters. This gives you more control over the filtering of the events. The Description filters a the slowest as they are applied externally once all the other filters are applied.
It is always recommended to specify any other filters if possible before using the description filter. You can also specify if you only want to search within xml contents of the event which are quick to fetch and hence, the overall description filter runs faster. However, it is possible that the event XML does not always contains the text you want. It is advised to search using this option and if you do not find the results to your satisfaction, perform a description filtering by unchecking this option.
Things to know about filtering
The filters based on Level, ID, Time, Provider and Category are faster in comparison with the filter based on the description. The native windows event log filtering is used while fetching the events based on these attributes however the description filter is applied after the events are fetched from the event source. If you want to apply description filters and already know any of the above attributes for these events, it is recommended to apply that filter as well. You can also make use of option “Search in XML Data Only (Faster)” which only searches within the event XML. The information you are looking for can be found in the event XML most of the times however some times it might not be available. Always check the event xml before you use this option to know the event XML contains the text you need.