I have some commands below that do not give any output when looking for specific keywords in Windows Logs using PowerShell.
Get-WinEvent -FilterHashtable #{LogName="Application"} | Select-String "Information"
However, if I only run Get-WinEvent -FilterHashtable #{LogName="Application"}, there are many entries with Information keyword. Select-String -pattern "Information" also does not work.
Ideally I'd like to search for multiple keywords in the above scenario.
You need to do:
Get-WinEvent -FilterHashtable #{LogName="Application"} | ? { $_.leveldisplayname -eq 'Information' }
The Information you're looking for is a property of the object. The Get-WinEvent cmdlet returns a collection of objects, so you need to add the Where-Object or ? to filter on the LevelDisplayName object property.
To answer your new questions:
The leveldisplayname is going to be Information, Error or Warning. You can add either of these or use logic to combine them. In order to search for keywords in a message, using a regex is probably the best approach:
Get-WinEvent -FilterHashtable #{LogName="Application"} | ? message -imatch "keyword1"
To search multiple keywords, you can modify the regex using the OR | operator:
Get-WinEvent -FilterHashtable #{LogName="Application"} | ? message -imatch "keyword1|keyword2|foo|bar"
If you wanted to search for all Error messages containing "foo" or "bar" you could do;
Get-WinEvent -FilterHashtable #{LogName="Application"} | ? { ($_.message -imatch "foo|bar") -and ($_.leveldisplayname -eq 'Error') }
Related
I have a simple powershell function where I provide the log type and event and it scans all of our SQL servers. it works except the host name is returned as hostname.domain.local. I want it to return just the host name. I've tried machinename.split('.') and substring and it won't work. I've tried putting the select-object into a separate variable and was going to join it with the rest of the columns, but it takes too long to run.
Here is my sample scrap code i'm testing with before I change my function along with the commented out parts that didn't work. Looked around and found lots of resources about the commands, but they don't work when I try to use them in my script.
The error I keep getting is A positional parameter cannot be found that accepts argument '. '.
$servers = Get-Content -literalpath "C:\temp\sql_servers3.txt"
#$server
#$result =
ForEach($box in $servers) {Get-Eventlog -ComputerName $box -LogName
application -After 1-4-2018 -Entrytype Error | Where {$_.source -notin
'Perfnet','Perflib', 'ntfs', 'vss'}| select-object -property MachineName}
#$result_Host_name = select-object -inputobject $result -property
'MachineName'
#'TimeGenerated', 'MachineName'.Split('.')[1], 'EventID','message'}
#| Where {$_.source -notin 'Perfnet','Perflib', 'ntfs', 'vss'} 0
#return $result_Host_name
What you are looking for is a "Calculated Property" when using Select-Object.
| Select-Object #{n='HostName';e={($_.MachineName -split '\.')[0]}}
Trying to write a script to retrieve all the details for events being triggered for a certain issue.
The events that have been seen within the event viewer have no Event ID's etc. that would help to filter the results.
The only data I can potential use is contained within the EventData section with "Married"
Get-WinEvent #{LogName='Application';Level=2} | Where {$_.ProviderName -eq 'BizTalk Server' -and $_.Message -contains 'Marri'}
I'm not sure if the $_.Message is looking at the EventData section.. any advice?
So this isn't a fully working solution but it should give you an output of data that provides you with insight on what to use.
I can't really do it for you completely because i don't have the data to test with.
$events = Get-WinEvent -FilterHashTable #{LogName = "Application";Level=2} -MaxEvents 50 | where {$_.Message -like '*'}
foreach($event in $events){
"-"*150
$eventXML = [xml]$event.ToXml()
#if there is data in the XML
if($eventXML.Event.EventData.data -like '*Marri*'){
$event.Message
$event | gm
write-host $event
write-host $eventXML.Event.EventData.data -ForegroundColor Green
}
"-"*150
}
I don't really understand what you mean with the count /date time part.
you could display the time and provider so:
$events = Get-WinEvent -FilterHashTable #{LogName = "Application";Level=2} -MaxEvents 50 |
where {$_.Message -like '*'}
foreach($event in $events){
"-"*50
$event.TimeCreated
$event.ProviderName
$event.Message
"-"*50
}
I don't know where in eventdata "married" is, but in powershell 6 you can do something like this and use -filterhashtable on eventdata named data fields. Providername can be in the hashtable as well.
Get-WinEvent #{LogName='Application'; Level=2;
providername='biztalk server'; status='married'}
An example that works for me:
get-winevent #{ logname = 'application'; param2 = 'suppressduplicateduration' }
I am trying to use PowerShell to get the results from the TaskScheduler events since yesterday. This is my code:
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational -MaxEvents 5 |
Where-Object ($_.TimeCreated -gt [DateTime]::Today.AddDays(-1))
Format-List *
Notes:
The -MaxEvents 5 is to limit output while I am developing.
When I remove the Where-object the cmdlet returns a full list. This is expected since no filtering is applied. So the error must be in the way the filtering is being done.
You can use the FilterHashTable property of Get-WinEvent to filter, it will be faster than retrieving all the events and then filtering only those you want.
This retrieves all events in the last day from the System log as I don't have any logging for TaskScheduler.
$date = (Get-Date).AddDays(-1)
$events = Get-WinEvent -FilterHashTable #{ LogName = "System"; StartTime = $date;}
$events | Format-List
You can filter on pretty much any field in the event log - further info on this
I'm trying to write a query of the replication status of our VMs. I would like to be more selective in what I'm looking for, however.
I can run this:
PS C:\Users\hc> Get-VMReplication -computername servername
and it'll return this:
Image 1
I'd like it to return the line in the list when there is a match, or nothing when there isn't. Ive so far gotten it to select an item from the list by writing it as this:
PS C:\Users\hc> ((Get-VMReplication -computername servername | select-string -inputobject {$_.Health} -pattern “Normal”) -like “Normal”)
but it unfortunately only displays a list of Normal:
Image 2
Ultimately I would like it it to list the column headings and the entire row if possible but I'm unsure as to where to go next. (note that I've used the "Normal" pattern just so it would create entries in this list. The final product will look for "Warning" and "Critical")
Don't use Select-String, use Where instead.
Get-VMReplication -computername servername | Where{ $_.Health -eq "Normal"}
Or later down the road it would look like:
Get-VMReplication -computername servername | Where{ $_.Health -eq "Warning" -or $_.Health -eq "Critical"}
I am trying to use PowerShell to query a group calendar and return only a subset of the events based on a specific string in the Subject field.
Currently, I can use the following and get a listing of all of the events:
$events = Invoke-RestMethod -Uri "https://outlook.office365.com/api/v1.0/users/$calendar/calendarview?startDateTime=$(Get-Date)&endDateTime=$((Get-Date).AddDays(1))" -Credential $cred | foreach-object{$_.Value}
$events | Select-Object -Property Subject,Start,End | fl
This is where I get stuck. I am trying to filter these results to where I only return results where Subject -like '*string*'
However, I just cannot seem to get that to work on the Invoke-RestMethod line...
Any help would be GREATLY appreaciated.
Bonus appreciation to anyone who can take the results of the Start and Stop times from this:
2016-04-25T13:00:00Z
to this:
4/25/2016
For reference, I have already tried this:
Get-Date $events.Start -Format 'MM/dd/yyyy'
Which gives this error:
Get-Date : Cannot convert 'System.Object[]' to the type
'System.DateTime' required by parameter 'Date'. Specified method is
not supported.
Because your using a CalendarView (which is a filter of sorts) you can't apply another filter at the REST level so just filter the results eg
$events | Where-Object {$_.Subject -match 'string'} | Select-Object -Property Subject,Start,End | fl
or if you want to use wildcards
$events | Where-Object {$_.Subject -Like '*string*'} | Select-Object -Property Subject,Start,End | fl
With the Start Stop time just CAST them eg
$events | % {([DateTime]$_.Start).ToString("MM/dd/yyyy")}
Cheers
Glen