Format-Table returning blank column

StackOverflow https://stackoverflow.com/questions/15407759

  •  23-03-2022
  •  | 
  •  

Question

I'm having trouble only displaying the Time column for a command.

Get-EventLog -log Security | where {$_.EventID -eq 4800 -or $_.EventID -eq 4801}

returns:

   Index Time          EntryType   Source                 InstanceID Message                                                                                                                  
   ----- ----          ---------   ------                 ---------- -------                                                                                                                  
  167513 Mar 14 10:31  SuccessA... Microsoft-Windows...         4801 The workstation was unlocked....                                                                                         
  167506 Mar 14 10:14  SuccessA... Microsoft-Windows...         4800 The workstation was locked....                                                                                           
  167499 Mar 14 10:08  SuccessA... Microsoft-Windows...         4801 The workstation was unlocked....

However if I only want to see the Time column I get nothing:

Get-EventLog -log Security | where {$.EventID -eq 4800 -or $.EventID -eq 4801} | Format-Table Time

Time                                                                                                                                                                                          
----

Any ideas?

Was it helpful?

Solution

It's blank because there are no such thing as a Time property. It's an alias used in the default view of Get-EventLog.

PS > Get-EventLog -LogName System | gm


   TypeName: System.Diagnostics.EventLogEntry#System/EventLog/2147489661

Name                      MemberType     Definition
----                      ----------     ----------  
....                                    
TimeGenerated             Property       datetime TimeGenerated {get;}
TimeWritten               Property       datetime TimeWritten {get;}
UserName                  Property       string UserName {get;}
EventID                   ScriptProperty System.Object EventID {get=$this.get_EventID() -band 0x...

Use Format-Table TimeGenerated to get the time when the event happend, and TimeWritten to get the time it was saved to the log.

The column Time in the default view is TimeGenerated formated like {0:MMM} {0:dd} {0:HH}:{0:mm}. You can see this in one of the format files in Powershell. For this case, it's in "C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml" :

.....
<ViewSelectedBy>
    <TypeName>System.Diagnostics.EventLogEntry</TypeName>
</ViewSelectedBy>
.....
<TableColumnHeader>
    <Label>Time</Label>
    <Width>13</Width>
</TableColumnHeader>
.....
<TableColumnItem>
    <PropertyName>TimeGenerated</PropertyName>
    <FormatString>{0:MMM} {0:dd} {0:HH}:{0:mm}</FormatString>
</TableColumnItem>
.....
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top