Powershell Script – How to get windows logs events with Get-WinEvent for a date range

27 January,2016 by Jack Vamvas

Question: How can I return a Windows Event Logs recordset within a date range?  I’m troubleshooting a recurring issue across certain servers, and needed a Powershell  scripted method of returning Windows Events from the System event log , event id ,start date, end date.   

Answer: For filtering event log details I use the Get-WinEvent Powershell cmdlet. The -FilterHastable switch  manages the parameters . Let’s look at some  basic examples.

Example 1 : Find all events from the System log of the event id 36874 between the 01/12/15 and 21/12/15

Get-WinEvent -FilterHashtable @{logname='system';id=36874;StartTime="01/12/15";EndTime="21/12/15"}

Example 2: Find all events from the Application log between a date range 

Get-WinEvent -FilterHashtable @{logname='application;id=256;StartTime="01/01/16";EndTime="21/01/16"}

Example 3 : Find all events from the Application log between a date range and limit results to 10

Get-WinEvent -FilterHashtable @{logname='application;id=256;StartTime="01/01/16";EndTime="21/01/16"}  -MaxEvents 10

These Get-WinEvent examples will get you started on extracting Windows Events. One of the interesting thing about Get-WinEvent is the capacity to extract messages from different Event log providers.

Use the -ListLog switch in the Get-WinEvent powershell cmdlet to extract the list of logs on a machine . You’ll be amazed at the list of log sets and types available. There is great potential in combining resultsets from different logs when troubleshooting

Get-WinEvent –ListLog *

The alternative way of extracting Windows Event Logs is via the Get-EventLog cmdlet. Although easier to learn it doesn't have the same breadth of filtering capacity.

Powershell Get-EventLog and Event Log messages - SQL Server DBA

 

Read More on Powerhshell

Expand your Powershell mind – Three key cmdlets - SQL Server DBA

Powershell Scripts

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Powershell Script – How to get windows logs events with Get-WinEvent for a date range


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer