Searching through ULS logs for a correllation ID (Merge-SPlogFile)

As tempting as it is to start opening ULS logs that surround the time of your correlation ID, you should avoid that practice, unless you have lots of time on your hands.

Here is an easier and more effective way to get at your issue:

Use the Merge-SPLogFile

Merge-SPLogFile -Path <String> [-Area <String[]>] [-AssignmentCollection <SPAssignmentCollection>] [-Category <String[]>] [-ContextFilter <String[]>] [-Correlation <Guid[]>] [-EndTime <DateTime>] [-EventID <String[]>] [-ExcludeNestedCorrelation <SwitchParameter>] [-Level <String>] [-Message <String[]>] [-Overwrite <SwitchParameter>] [-Process <String[]>] [-StartTime <DateTime>] [-ThreadID <UInt32[]>]

You must specify the Path parameter so that a file can be created that holds just the lines that correspond to your search criteria.

You can search of a string of text using the -message parameter and it accepts wildcards (*)

It looks through all your log files and returns just the lines containing your search criteria.

This example looks through all servers in your farm and merges the logs for correlation id ‘B4BBAC41-27C7-4B3A-AE33-4192B6C1E2C5 that occurred between 4 and 415 pm

Merge-SPLogFile –Path "C:\Logs\FarmMergedLog.log" -Correlation B4BBAC41-27C7-4B3A-AE33-4192B6C1E2C5 –StartTime "05/01/1967 16:00" – EndTime "05/01/1967 16:15"


Check out this blog for yet another way to peel this egg, get-splogevent: