#Get-Content - Sort multiple contents out of a txt file and save them seperately

13 messages · Page 1 of 1 (latest)

fierce sigil
#

Each string contains multiple values in a row (example: timestamp,name,number).
Sounds like you'll want to treat your txt file as a CSV file 🙂 Try Import-Csv or ConvertFrom-Csv

sweet canopy
#

yeah I agree, I'd look at treating the data as csv such as:

$data = import-csv -Path C:\Dump.txt
$data | where-object someColumnName -like '0x0000100' | export-csv -Path C:\created.csv
#

however if it's not a valid csv file, you can do similar with just the get-content, saving that to a variable and then just searching the variable for the string data

#

if it is a valid csv file (the Dump.txt), as long as you don't run the output through a "select-object" you won't lose any of the column data

#

so let's assume a structure like

timestamp,file,executable,hex
11122233,C:\somefile.txt,cmd.exe,0x00000223
11122233,C:\somefile.txt,cmd.exe,0x00000223
11122233,C:\somefile.txt,cmd.exe,0x00000223
#

if you import-csv, that file will be imported as an array of objects

#

you're then passing that array through a where-object where you filter based on column values

$data | where-object hex -like '0x0000223'

that will only return rows that have that value in the 'hex' column

fierce sigil
#

Please share a sample record or two from the output

#

This works for parsing the output from fsutil:

$executableReads = fsutil usn readjournal c: | ForEach-Object -Begin { 
    # set up dictionary to hold property values from each record
    $Properties = [ordered]@{} 
} -Process {
    if ($_ -match '^\s*$') {
        # empty line encountered, we've reached the end of the previous record
        if ($Properties.Count) {
            [pscustomobject]$Properties
        }
        $Properties = [ordered]@{}
    }
    else {
        # non-empty line encountered - extract property name and value
        $name, $value = $_ -split ': ', 2 |ForEach-Object Trim
        $Properties[$name] = $value
    }
} -End { 
    # we've reached the end of the input, check if there's anything left to output
    if ($Properties.Count) { 
        [pscustomobject]$Properties 
    }
} |Where-Object 'File name' -like *.exe
fierce sigil
#

This is a sample output.
Did you forget to paste it? Not seeing any sample data, only your original code and a screenshot of Out-GridView

#

Ahh, I see what's going wrong - fsutil outputs a header that messes up the subsequent CSV parsing

#

Try:

fsutil usn readjournal c: csv |Select-Object -Skip 7 |ConvertFrom-Csv |Where-Object 'File name' -like *.exe
fierce sigil
#

Well, next step is the same anyway: use ConvertFrom-Csv to parse, then filter with Where-Object