So I ran into a situation last week where I wanted to filter the event log in Vista to only show events in the Application log that contained the string msnmsgr.exe. Alas, this was not as easy as alt-clicking and adding to the keywords. I thought it would have been, in any case this is how you would filter the event log for such an instance. One caveat, the data string must match exactly (no wildcards) and must be present in the XML of the event.
1) Alt-click the app log
2) Choose “Filter Current Log”
3) Click the XML tab and select “edit query manually”
<Query Id=”0″ Path=”Application”>