Read events from an event log, log file or using structured query. Usage: wevtutil { qe | query-events } /OPTION:VALUE /OPTION:VALUE ...

Read events from an event log, log file or using structured query.

Usage:

wevtutil { qe | query-events }  [/OPTION:VALUE [/OPTION:VALUE] ...]


By default, you provide a log name for the  parameter. However, if you use
the /lf option, you must provide the path to a log file for the  parameter.
If you use the /sq parameter, you must provide the path to a file containing a
structured query. 

Options:

You can use either the short (for example, /f) or long (for example, /format) 
version of the option names. Options and their values are not case-sensitive.

/{lf | logfile}:[true|false]
If true,  is the full path to a log file.

/{sq | structuredquery}:[true|false]
If true,  is the full path to a file that contains a structured query.

/{q | query}:VALUE
VALUE is an XPath query to filter events read. If not specified, all events will 
be returned. This option is not available when /sq is true.

/{bm | bookmark}:VALUE
VALUE is the full path to a file that contains a bookmark from a previous query.

/{sbm | savebookmark}:VALUE
VALUE is the full path to a file in which to save a bookmark of this query. The 
file extension should be .xml.

/{rd | reversedirection}:[true|false]
Event read direction. If true, the most recent events are returned first.

/{f | format}:[XML|Text|RenderedXml]
The default value is XML. If Text is specified, prints events in an
easy to read text format, rather than in XML format. If RenderedXml, prints 
events in XML format with rendering information. Note that printing events in 
Text or RenderedXml formats is slower than printing in XML format.

/{l | locale}:VALUE
VALUE is a locale string to print event text in a specific locale. Only available 
when printing events in text format using the /f option.

/{c | count}:
Maximum number of events to read.

/{e | element}:VALUE
When outputting event XML, include a root element to produce well-formed XML.
VALUE is the string you want within the root element. For example, specifying
/e:root would result in output XML with the root element pair .


Example:

The following example displays the three most recent events from the Application 
log in text format.

wevtutil qe Application /c:3 /rd:true /f:text

Read cache operation completed. Id: %1 Operation/Function: %2 Length: %3 Disk Offset: %4 Relative Offset: %5 Cache Offset: ... Read Cache Totals Allocated : %1!-8I64u! ( 1!-8I64x!) Populated : %2!-8I64u! ( 2!-8I64x!) In Error : %3!-8I64u! ( 3!-8I64x!) ... Read chunk metadata (Stream %1, CurrentOffset %2, AdjustedFinalOffset %3, FirstChunkByteOffset %4, ChunkRequestsEndOffset ... Read DNS Name Resolution Policy Table: Key Name %1: DNSSEC Settings: DnsSecValidationRequired %2, DnsQueryOverIPSec %3, DnsEncryption ... Read events from an event log, log file or using structured query. Usage: wevtutil { qe | query-events } /OPTION:VALUE /OPTION:VALUE ... Read Operations Random/sec counts the rate at which, on a file-by-file basis, reads are made that are not sequential. If ... Read Operations/sec is the rate the server is performing file read operations for the clients on this CPU. This value is ... Read Packets Small/sec is the rate at which reads less than one-fourth of the server's negotiated buffer size are made by ... Read Packets/sec is the rate at which read packets are being placed on the network. Each time a single packet is sent with ...