Querying SharePoint Log Files

While working as a SharePoint developer every one of us must go to the SharePoint log files to determine the exact nature and cause of an error. SharePoint logs provide us vital information to resolve the issue. SharePoint provides us a correlation id to get the details about the issue, but it is difficult sometimes to go and check the log files and manually find the error in the log and get the cause, since the log files are huge sometimes.

To resolve this we have some PowerShell cmdlets that we can use to search in log files. Some of them are Get-SPLogEvent and Merge-SPLogFile. They are explained below.

  • Get-SPLogEvent
We can use Get-SPLogEvent to query log files when either a single server Farm is in place or we have knowledge of which server the error gets logged to. So Get-SPLogEvent will query the logs in the same server where the PowerShell command is executed. The following are some of the samples:
  1. get-splogevent | ?{$_.Message -like "*Monitored*" -and $_.Correlation -eq "2713db9c-f21e-e0bc-3393-95ddcbf60bd0"} | select Area, Category, Level, EventID, Message | Format-List > C:\Log1.log  
The preceding command will search with the specified correlation id and get the contents where the message contains the "Monitored" word and dumps the requested fields (Area, Category, Level, EventID and Message) in the file Log1.log.
  1. get-splogevent | ?{$_.Correlation -eq "2713db9c-f21e-e0bc-3393-95ddcbf60bd0"} | select Area, Category, Level, EventID, Message | Format-List > C:\Log2.log  
The preceding command will search with the specified correlation id and dump the requested fields (Area, Category, Level, EventID and Message) in the file Log2.log at the specified path.

You can use the preceding commands directly also on PowerShell to get the details directly instead of creating a file out of it, like:
  1. get-splogevent | ?{$_.Message -like "*user*" -and $_.Correlation -eq "2713db9c-f21e-e0bc-3393-95ddcbf60bd0" -and $_.Level -eq "Medium" -and $_.Category -eq "App Deployment"} | select Area, Category, Level, EventID, Message  
The preceding command will search with a specified correlation id and get the contents where the message contains the word "user", the Level is "Medium" and the Category equals "App Deployment". It displays the requested fields (Area, Category, Level, EventID and Message) in the PowerShell window.
  1. get-splogevent -StartTime "12/11/2014 10:00" -EndTime "12/12/2014 18:00"  
  2. bove command will search the logs with specified date range and display on PowerShell window.  
  • Merge-SPLogFile
We can use Merge-SPLogFile to query log files when we have a scenario where a mult-server Farm is in place and we do not have an idea of where exactly the error was logged. In other words, the timer service is running on four servers and the current timer request is served by Server1 then the error gets logged on server1. The following are some samples:
  1. Merge-SPLogFile -Path "C:\Log1.log" -Overwrite -Message "*Monitored*" – Correlation "2713db9c-f21e-e0bc-3393-95ddcbf60bd0"  
The preceding command will search with the specified correlation id and get the contents where the message contains the word "Monitored" and dumps the details in the file Log1.log.
  1. Merge-SPLogFile -Path "C:\Log2.log" -Overwrite -Message "*Monitored*" – Correlation "2713db9c-f21e-e0bc-3393-95ddcbf60bd0"  
The preceding command will search with the specified correlation id and dump the details to the file Log2.log.
  1. Merge-SPLogFile -Path "C:\Log3.log" -Overwrite -StartTime "12/11/2014 10:00" - EndTime "12/12/2014 18:00"  
The preceding command will search the logs for the specified date range and dumps the details in the file Log3.log.
I hope this will reduce some of the debugging efforts.