Finds SharePoint ULS logs with request URLs

Get-SPLogEventWithUrl.ps1

<#
.SYNOPSIS
Gets SharePoint ULS logs along with the request URL given a set of criteria.

.DESCRIPTION
The request URL is not available on every ULS log entry. If you want the request
URL, this command can provide it.  It basically finds the log entry or entries
based on the criteria provided and then looks back up to 2 minutes in the logs
for a "Name=" message with the same correlation.  If if finds one, it provides
that message which contains the request URL.

When using this command, it is highly recommended that you provide a StartTime,
EndTime, and/or MinimumLevel.  Those are the only parameters that limit the initial
query.  The other parameters (Process, ThreadID, Area, Category, EventID, Message,
and Correlation) are processed in a loop and therefore are quite inefficient.

The MinimumLevel defaults to "VerboseEx".  Other options are: Verbose, Medium
High, Monitorable, and Unexpected.

All parameters other than the StartTime, EndTime, and MinimumLevel are used in
a like clause.  Basically you just need to provide portion of the CorrelationID,
for example.

.EXAMPLE
.\Get-SPLogEventWithUrl.ps1 -Message "UserAgent" -MinimumLevel High -StartTime "2/6/2015" | Format-Table Timestamp,Correlation,Url

.Example
.\Get-SPLogEventWithUrl.ps1 -StartTime "2/6/2015 10:00 AM" -Correlation "841ce79c" | Out-File C:\LogOutput\output1.txt
#>

Param(
    [parameter(Mandatory=$false)][alias("start")]$StartTime=[System.DateTime]::MinValue,
    [Parameter(Mandatory=$false)][alias("end")]$EndTime=[System.DateTime]::MaxValue,
    [Parameter(Mandatory=$false)][alias("minlvl")]$MinimumLevel="VerboseEx",
    [Parameter(Mandatory=$false)][alias("proc")]$Process="",
    [Parameter(Mandatory=$false)][alias("thread")]$ThreadID="",
    [Parameter(Mandatory=$false)]$Area="",
    [Parameter(Mandatory=$false)][alias("cat")]$Category="",
    [Parameter(Mandatory=$false)][alias("evt")]$EventID="",
    [Parameter(Mandatory=$false)][alias("msg")]$Message="",
    [Parameter(Mandatory=$false)][alias("cor")]$Correlation=""
)

Add-PSSnapin Microsoft.SharePoint.PowerShell

# Get the event logs filtered based on StartTime, EndTime, and MinimumLevel
Get-SPLogEvent -StartTime $StartTime -EndTime $EndTime -MinimumLevel $MinimumLevel |

    # Process each event log item and further filter in a loop based on all of the other parameters
    ?{ $_.Process -like "*$($Process)*" -and
    $_.ThreadID -like "*$($ThreadID)*" -and
    $_.Area -like "*$($Area)*" -and
    $_.Category -like "*$($Category)*" -and
    $_.EventID -like "*$($EventID)*" -and
    $_.Message -like "*$($Message)*" -and
    $_.Correlation -like "*$($Correlation)*" } |
    ForEach-Object {

    # We found a hit - store the item into $logItem and default the $url to empty
    $logItem = $_
    $url = ""

    # Look back up to 2 minutes prior on the current Correlation to find the URL (Message starts with "Name=")
    $urlItems = get-splogevent -starttime $logItem.Timestamp.AddSeconds(-120) -endtime $logItem.Timestamp |
        ?{$_.Correlation -eq $logItem.Correlation -and $_.Message -like "Name=*"} |
        Select-Object -First 1

    if ($urlItems -and $urlItems.Length -ge 1) {
        # We found the URL
        $url = $urlItems[0].Message
    }

    # Create a new object that has all of the properties of an event log item PLUS our new Url property
    $obj = New-Object PSObject
    $obj | Add-Member Timestamp $logItem.Timestamp
    $obj | Add-Member Continuation $logItem.Continuation
    $obj | Add-Member Process $logItem.Process
    $obj | Add-Member ThreadID $logItem.ThreadID
    $obj | Add-Member Area $logItem.Area
    $obj | Add-Member Category $logItem.Category
    $obj | Add-Member EventID $logItem.EventID
    $obj | Add-Member Level $logItem.Level
    $obj | Add-Member Message $logItem.Message
    $obj | Add-Member Correlation $logItem.Correlation
    $obj | Add-Member Context $logItem.Context
    $obj | Add-Member Url $url

    # Write out the object we just created
    Write-Output $obj
}