Multiple days', custom-filtered, multiple logs' events in one view

StackOverflow https://stackoverflow.com/questions/21723459

Question

How do I get the events between 5:00 PM and 10 PM from Monday to Friday on one server.

This gives events for a time-span for a specific day.

Get-EventLog -LogName system | Where-Object {$_.TimeWritten -ge "2/5/14 00:00" -and $_.TimeWritten -le "2/7/14 00:00"}

And how can I then, simultaneously sort custom-filtered events from multiple logs into one view. This method doesn't work with 'get-wineventlog'

$time = [System.Management.ManagementDateTimeConverter]::ToDmtfDateTime((Get-Date).AddHours(-12))

$sys = Get-WmiObject -Class win32_ntlogevent -filter "logfile = 'System' AND Sourcename = 'Srv' AND TimeGenerated>='$time'"|select -First 10

$app = Get-WmiObject -Class win32_ntlogevent -filter "logfile = 'Application' AND eventType < '3' AND TimeGenerated>='$time'"|select -First 10

$($sys + $app)|sort TimeWritten -Descending|select -Property logfile,EventCode,sourcename, Message| ft -AutoSize

Was it helpful?

Solution

If I am reading this right, you want to comb the logs for entries between 5PM and 10PM each night from Monday to Friday. For this I would use Get-EventLog like you started to do. This script will iterate from the start date specified for 5 days and pull the logs as described by the filters from 5PM to 10PM each day. It also adds a LogFile element to each item to state if it came from the System or Applications log.

$StartDate = Get-Date "2/5/14"
$TargetComputer = "BP1XEUTS399"
$Logs = @()
For($i=0;$i -lt 5;$i++){
    $TargetDate = $StartDate.AddDays($i)
    $From = $TargetDate.AddHours(17)
    $To = $From.AddHours(5)

    #Remember what Error Actions is currently set to, and then set it to silent to avoid errors thrown when no log entries are found due to filters
    $CurErrAct = $ErrorActionPreference
    $ErrorActionPreference = "SilentlyContinue"

    $Sys = Get-EventLog -Log System -After $From -Before $To -Source "Srv"
    $Sys|%{$_|Add-Member -MemberType NoteProperty -Name "LogFile" -Value "System"}
    $Apps = Get-EventLog -Log Application -ComputerName $TargetComputer -After $From -Before $To -EntryType Error,Warning
    $Apps|%{$_|Add-Member -MemberType NoteProperty -Name "LogFile" -Value "Applications"}
    $Logs += $Sys
    $Logs += $Apps

    #Set Error Actions back to what it was.
    $ErrorActionPreference = $CurErrAct
}
$Logs|FT -autosize LogFile,EntryType,Source,Message

A couple notes, I replicated what you had in your question as closely as I could, so the System log being pulled is the local System log. The Applications log is on a remote computer. If you want to pull the System log on the same computer add -ComputerName $TargetComputer to the $Sys = Get-EventLog line

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top