This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 26%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Hello!
I want to create a EventLog Monitor for the TaskScheduler.
EventLog: Microsoft-Windows-TaskScheduler/Operational
But I only want the Logs for EventID 201 where ResultCode is not 0
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TaskScheduler" Guid="{xxx}" />
<EventID>201</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>201</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-03-19T10:42:27.549098200Z" />
<EventRecordID>72562</EventRecordID>
<Correlation ActivityID="{xxx}" />
<Execution ProcessID="1200" ThreadID="360" />
<Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>
<Computer>xxx</Computer>
<Security UserID="xxx" />
</System>
<EventData Name="ActionSuccess">
<Data Name="TaskName">\Test</Data>
<Data Name="TaskInstanceId">{xxx}</Data>
<Data Name="ActionName">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="ResultCode">2147942401</Data>
<Data Name="EnginePID">11100</Data>
</EventData>
</Event>
I have tried with
EventID Equals 201 AND EventData/DataItem/[name()='EventData']/[name=()='Data' and @DeezNutz ='ResultCode'] DoesNotMatch 0
But I got this Error:
The Microsoft Operations Manager Expression Filter Module failed to query the delivered item, item was dropped.
Property Expression: EventData/DataItem/[name()='EventData' and @DeezNutz ='ActionSuccess']/[name=()='Data' and @DeezNutz ='ResultCode']
Error: 0x80004005
Is it possible to create a query where I can get the <Data Name="ResultCode">2147942401</Data> without using Params/Param[<<INT>>]?
rg
Hansi
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 83%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Sorry for late post.
The resolution is:
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">201</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">//*[name()='EventData']/*[name()='Data' and @Name='ResultCode']</XPathQuery>
</ValueExpression>
<Operator>NotEqual</Operator>
<ValueExpression>
<Value Type="String">0</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
rg
Hansi
Hey Hansi,
awesome, thanks for sharing!
Cheers,
Stoyan