Troubleshooting errors in SharePoint with PowerShell using Get-SPLogEvent and Merge-SPLogFile
When user tells you that he has got an error using SharePoint portal service, you ask him about the page he was, which buttons he clicked and, if user hasn’t still closed browser, ask to send you screenshot of the error. It contains very useful information – CorrelationId.
In SharePoint 2010 CorrelationID is a GUID, that helps you to identify log records about process. One of columns of ULS-log is "Correlation".
When I was looking for information about using SharePoint powershell command "Get-SPLogEvent", I found a good article in http://zimmergren.net/technical/sp-2010-find-error-messages-with-a-correlation-id-token-in-sharepoint-2010. This post was about how easily to get records from log files about error in SharePoint using "Get-SPLogEvent" if you know GUID.
Get-SPLogEvent | ?{$_Correlation -eq "<GUID>" }
The result of this command is:
By default data will be shown in table without Message column. It’s useless. I advise you to use Format-List (FL) for getting useful information.
"One of the quick-n-awesome ways " told the site. It’s event true if your SharePoint farm is small or even less. In my SharePoint farm I have 3 front-end servers, 2 application servers (for search services, importing profiles and other tools). And more than 3k users use it in active way. On front-ends each log file that SharePoint creates each 30 minutes is about 50Mb, on application servers about 150Mb. And I have logs for last two weeks. So I have more than 600 files on each server.
Of course I can reduce their quantity if I set the store time not 14 days, but 7 days for example. But it’s still to many files.
If you have a SharePoint farm with parameters like mine, then try to execute "Get-SPLogEvent | ?{$_Correlation -eq "<GUID>" }" and you will see how quick it is. It takes you at least half an hour to get data. And it will give enough load for your resources.
Get-SPLogEvent gets data only from local machine. If you have more than 1 server or you don’t know , you need to know on which one process occurred.
If you have more than 1 front-end and you don’t want to browse logs on all servers, you should use command "Merge-SPLogFile" – it joins to one file records from log-files from all servers in a farm.
This command shouldn’t be good enough if it doesn’t have parameters such as StartTime, EndTime and Correlation. It allows to extract only that records that you need.
To get information about event that happened, for example, at "04/10/2013 11:14:07", and had correlation id "4775109c-3879-e0e4-780a-57292b7dc3ad", you should use the syntax like this:
Merge-SPLogFile -StartTime "04/10/2013 11:00" -EndTime "04/10/2013 12:00" -Correlation '4775109c-3879-e0e4-780a-57292b7dc3ad' -Path c:\logsAboutError.txt
I set time interval 1 hour because events could go on during some time. It’s less than 1 hour, I think it’s even less than 1 minute. I use StartTime and EndTime just to reduce quantity of requests to log files while searching correlation id. Without setting StartTime and EndTime your request will load your system and will take a long time.
If you want to collect logs not only about the error, but and collect logs about some time before and after, I advise you to use StartTime equal the event time – 1 hour and EndTime equal the event time + 1 hour.
I'd like to notice one thing. It's rather strange, but if you set StartTime and EndTime before Correlation, it will take less time to get the result.