Approximately 10 years ago, we introduced custom columns in Event Log Explorer. This feature allows users to extract event details from the event description or event XML. Custom columns have significantly enhanced our customers’ ability to get more information from events, and we have continuously improved it across different versions. Previously, Event Log Explorer treated custom column values as text, which sometimes was insufficient for in-depth analysis. For example, in my article about tracking printer usage, it was impossible to sort events by the number of pages.
Since version 5.5, Event Log Explorer allows users to specify the type of custom values.
Let’s take the same printer usage problem and solve it using this new power.
- Make sure that logging of Microsoft-Windows-PrintService/Operational log is enabled on your print server and open it.
- Set filter to Event ID = 307
- Optionally hide unnecessary columns like Type, Event Id, Source, Category, User
- Set custom columns as follows:
Column 1:
Column title: Printer user
Value: {DATA[3]}
Treat value as : Text
Column 2:
Column title: Printer
Value: {DATA[5]}
Treat value as: Text
Column 3:
Column title: Pages
Value: {DATA[8]}
Treat value as: Integer
As seen, you only need to set “Treat value as” to Integer for the last custom column. This will display events like the previous versions displayed, but now the Pages column is shown as an integer column.
This means that you can now sort by this column from lowest to highest value (or vice versa), not just alphabetically. You can also filter by this value (e.g., greater than or less than).
Furthermore, you can now create a summary table and calculate the total number of pages by every user. To do so, you will need to generate a new analytical report.
Select Advanced->Analytical reports from the main menu.
Then select Field List and move “Printer user” to the left area.
Select Field List again and move Pages to the central area.
Next, move Measures (1) into the top area.
This will create a summary table that looks like this:
Note that Event Log Explorer automatically calculates the sum of pages for each user because Sum is the default aggregative function for integer fields. However, you can change it to any other aggregative function if needed. For instance, if you want to get the average number of pages every user prints at once, expand Measures (1), right-click on Pages, select Properties, and in the Measure Editor dialog, change Sum to Average, then click OK.
As you can see, custom columns now offer enhanced capabilities for analyzing Windows event logs.
Get the latest version of Event Log Explorer to leverage the full potential of custom columns right away!
