So I was trying to grab the username (Account Name) from the "AccountForWhichLogonFailed:"
section of this get-winevent ouptut and I found some info on replacement strings.
The below one liner gets the info I want, I'm just not sure how it works, ie.
How do I find out which portion of the output corresponds to a replacement string number,
in this case, the "Account Name" for the second section corresponds to 5.
get-winevent -computername fs1 -FilterHashtable @{Logname='Security';Id='4625'} |select timecreated, message, machinename, eventid, @{n='AccountName';e={$_.ReplacementStrings[5]}}
TimeCreated:5/18/20168:55:43 AMProviderName:Microsoft-Windows-Security-AuditingId:4625Message:An account failed to log on.Subject:Security ID: S-1-5-21-1287344763-2688370722-3395302928-19873AccountName: service_adfsAccountDomain: DOMAINLogon ID:0xD62E4LogonType:3AccountForWhichLogonFailed:Security ID: S-1-0-0AccountName: user.thatiwant@DOMAIN.comAccountDomain: